fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

tests/correlation/test_fingerprint_rotation.py

@@ -235,3 +235,69 @@ def test_multiple_rotations_increment_counter(engine, now):
         row = session.exec(select(AttackerFingerprintState)).one()
         assert row.rotation_count == 2
         assert row.last_hash == "h3"
+
+
+def test_emit_after_commit_raising_publish_does_not_lose_row(engine, now) -> None:
+    """BUG-9 regression: publish_fn is called AFTER session.commit().
+
+    A raising publish_fn must not roll back / lose the committed rotation
+    row.  Before fix, publish was called before commit so a raise in
+    publish_fn left the session without a commit and the state row was lost.
+    """
+    later = now + timedelta(hours=1)
+
+    call_order: list[str] = []
+
+    class _OrderRecorder:
+        def __call__(self, event_type: str, payload: dict) -> None:
+            call_order.append("emit")
+            raise RuntimeError("downstream unavailable")
+
+    publish = _OrderRecorder()
+
+    with Session(engine) as session:
+        # Patch session.commit to record ordering.
+        original_commit = session.commit
+
+        def _recording_commit() -> None:
+            call_order.append("commit")
+            original_commit()
+
+        session.commit = _recording_commit  # type: ignore[method-assign]
+
+        _seed_attacker(session)
+
+    with Session(engine) as session:
+        original_commit2 = session.commit
+
+        def _recording_commit2() -> None:
+            call_order.append("commit")
+            original_commit2()
+
+        session.commit = _recording_commit2  # type: ignore[method-assign]
+
+        # first_sighting — no publish yet
+        record_fingerprint(
+            session,
+            attacker_ip="1.2.3.4", port=22, probe_type="hassh",
+            new_hash="h1", ts=now,
+        )
+        call_order.clear()
+
+        # rotation — publish_fn raises after commit
+        outcome = record_fingerprint(
+            session,
+            attacker_ip="1.2.3.4", port=22, probe_type="hassh",
+            new_hash="h2", ts=later,
+            publish_fn=publish,
+        )
+
+    assert outcome.kind == "rotated"
+    # commit must come before emit
+    assert call_order.index("commit") < call_order.index("emit")
+
+    # The rotation row must be persisted despite publish raising
+    with Session(engine) as session:
+        row = session.exec(select(AttackerFingerprintState)).one()
+        assert row.last_hash == "h2"
+        assert row.rotation_count == 1