feat(api): pin response_model on dict-returning mutation routes

Every mutation route that returned an untyped dict now declares
response_model at the decorator. MessageResponse covers the eight
{"message": ...} envelopes (change-password, mutate-decky, mutate-
interval, update-deployment-limit, update-global-mutation-interval,
delete-user, update-user-role, reset-user-password). Purpose-built
models cover the richer shapes (DeployResponse for /deckies/deploy,
PurgeResponse for /config/reinit, ReapReportResponse for /reap-orphans,
UserResponse for /config/users). 204-No-Content and Response/
ORJSONResponse routes stay as-is.

The wire shape for clients is unchanged — the envelopes already only
shipped a message field. What changes is that a handler which
accidentally returns a richer dict (e.g. a full user row including
password_hash) would be silently stripped to the declared fields at
serialization time.

Also flips F4/D "expensive LIKE" to accepted (new DA-09) — the /logs
and /attackers search routes LIKE-scan unbounded columns, but both are
admin-gated, limit-capped, and operator rate-limit scope per DA-04.
FTS5 stays a performance TODO, not a security blocker.

decnet/web/router/auth/api_change_pass.py

@@ -5,7 +5,7 @@ from fastapi import APIRouter, Depends, HTTPException, status
 from decnet.telemetry import traced as _traced
 from decnet.web.auth import ahash_password, averify_password
 from decnet.web.dependencies import get_current_user_unchecked, invalidate_user_cache, repo
-from decnet.web.db.models import ChangePasswordRequest
+from decnet.web.db.models import ChangePasswordRequest, MessageResponse
 
 router = APIRouter()
 
@@ -13,6 +13,7 @@ router = APIRouter()
 @router.post(
     "/auth/change-password",
     tags=["Authentication"],
+    response_model=MessageResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},

decnet/web/router/config/api_manage_users.py

@@ -8,8 +8,9 @@ from decnet.web.dependencies import require_admin, invalidate_user_cache, repo
 from decnet.web.router.config.api_get_config import invalidate_list_users_cache
 from decnet.web.db.models import (
     CreateUserRequest,
-    UpdateUserRoleRequest,
+    MessageResponse,
     ResetUserPasswordRequest,
+    UpdateUserRoleRequest,
     UserResponse,
 )
 
@@ -19,6 +20,7 @@ router = APIRouter()
 @router.post(
     "/config/users",
     tags=["Configuration"],
+    response_model=UserResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},
@@ -56,6 +58,7 @@ async def api_create_user(
 @router.delete(
     "/config/users/{user_uuid}",
     tags=["Configuration"],
+    response_model=MessageResponse,
     responses={
         401: {"description": "Could not validate credentials"},
         403: {"description": "Admin access required / cannot delete self"},
@@ -81,6 +84,7 @@ async def api_delete_user(
 @router.put(
     "/config/users/{user_uuid}/role",
     tags=["Configuration"],
+    response_model=MessageResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},
@@ -111,6 +115,7 @@ async def api_update_user_role(
 @router.put(
     "/config/users/{user_uuid}/reset-password",
     tags=["Configuration"],
+    response_model=MessageResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},

decnet/web/router/config/api_reinit.py

@@ -2,6 +2,7 @@ from fastapi import APIRouter, Depends, HTTPException
 
 from decnet.env import DECNET_DEVELOPER
 from decnet.telemetry import traced as _traced
+from decnet.web.db.models import PurgeResponse
 from decnet.web.dependencies import require_admin, repo
 
 router = APIRouter()
@@ -10,6 +11,7 @@ router = APIRouter()
 @router.delete(
     "/config/reinit",
     tags=["Configuration"],
+    response_model=PurgeResponse,
     responses={
         401: {"description": "Could not validate credentials"},
         403: {"description": "Admin access required or developer mode not enabled"},

decnet/web/router/config/api_update_config.py

@@ -2,7 +2,7 @@ from fastapi import APIRouter, Depends
 
 from decnet.telemetry import traced as _traced
 from decnet.web.dependencies import require_admin, repo
-from decnet.web.db.models import DeploymentLimitRequest, GlobalMutationIntervalRequest
+from decnet.web.db.models import DeploymentLimitRequest, GlobalMutationIntervalRequest, MessageResponse
 
 router = APIRouter()
 
@@ -10,6 +10,7 @@ router = APIRouter()
 @router.put(
     "/config/deployment-limit",
     tags=["Configuration"],
+    response_model=MessageResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},
@@ -29,6 +30,7 @@ async def api_update_deployment_limit(
 @router.put(
     "/config/global-mutation-interval",
     tags=["Configuration"],
+    response_model=MessageResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},

decnet/web/router/fleet/api_deploy_deckies.py

@@ -9,7 +9,7 @@ from decnet.engine import deploy as _deploy
 from decnet.ini_loader import load_ini_from_string
 from decnet.network import detect_interface, detect_subnet, get_host_ip
 from decnet.web.dependencies import require_admin, repo
-from decnet.web.db.models import DeployIniRequest
+from decnet.web.db.models import DeployIniRequest, DeployResponse
 from decnet.web.router.swarm.api_deploy_swarm import dispatch_decnet_config
 
 log = get_logger("api")
@@ -20,6 +20,7 @@ router = APIRouter()
 @router.post(
     "/deckies/deploy",
     tags=["Fleet Management"],
+    response_model=DeployResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},

decnet/web/router/fleet/api_mutate_decky.py

@@ -3,6 +3,7 @@ from fastapi import APIRouter, Depends, HTTPException, Path
 
 from decnet.telemetry import traced as _traced
 from decnet.mutator import mutate_decky
+from decnet.web.db.models import MessageResponse
 from decnet.web.dependencies import require_admin, repo
 
 router = APIRouter()
@@ -11,6 +12,7 @@ router = APIRouter()
 @router.post(
     "/deckies/{decky_name}/mutate",
     tags=["Fleet Management"],
+    response_model=MessageResponse,
     responses={
         401: {"description": "Could not validate credentials"},
         403: {"description": "Insufficient permissions"},

decnet/web/router/fleet/api_mutate_interval.py

@@ -3,7 +3,7 @@ from fastapi import APIRouter, Depends, HTTPException
 from decnet.telemetry import traced as _traced
 from decnet.config import DecnetConfig
 from decnet.web.dependencies import require_admin, repo
-from decnet.web.db.models import MutateIntervalRequest
+from decnet.web.db.models import MessageResponse, MutateIntervalRequest
 
 router = APIRouter()
 
@@ -17,6 +17,7 @@ def _parse_duration(s: str) -> int:
 
 
 @router.put("/deckies/{decky_name}/mutate-interval", tags=["Fleet Management"],
+    response_model=MessageResponse,
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},

decnet/web/router/topology/api_reap_orphans.py

@@ -18,6 +18,7 @@ from fastapi import APIRouter, Depends
 
 from decnet.engine.reaper import reap_orphan_topology_resources
 from decnet.telemetry import traced as _traced
+from decnet.web.db.models import ReapReportResponse
 from decnet.web.dependencies import repo, require_admin
 
 router = APIRouter()
@@ -26,6 +27,7 @@ router = APIRouter()
 @router.post(
     "/reap-orphans",
     tags=["MazeNET Topologies"],
+    response_model=ReapReportResponse,
     responses={
         401: {"description": "Missing or invalid credentials"},
         403: {"description": "Insufficient permissions"},