security: implement quick win remediations (FLOOD-001, CLI-002, CLI-003, AUDIT-001)

FLOOD-001: Cap anti-flood request list at configurable max entries
- Add ANTIFLOOD_MAX_ENTRIES config (default 10000)
- Prune oldest entries when limit exceeded

CLI-002: Explicitly set SSL hostname verification
- Add ctx.check_hostname = True and ctx.verify_mode = CERT_REQUIRED
- Defense in depth (create_default_context sets these by default)

CLI-003: Warn on insecure config file permissions
- Check if config file is world-readable
- Print warning to stderr if permissions too open

AUDIT-001: Already implemented - query has LIMIT/OFFSET with 500 max

app/api/routes.py

@@ -98,11 +98,18 @@ def record_antiflood_request() -> None:
     decay = current_app.config["ANTIFLOOD_DECAY"]
     base = current_app.config["POW_DIFFICULTY"]
 
+    max_entries = current_app.config.get("ANTIFLOOD_MAX_ENTRIES", 10000)
+
     with _antiflood_lock:
         # Clean old requests
         cutoff = now - window
         _antiflood_requests[:] = [t for t in _antiflood_requests if t > cutoff]
 
+        # FLOOD-001: Cap list size to prevent memory exhaustion
+        if len(_antiflood_requests) >= max_entries:
+            # Keep only the most recent half
+            _antiflood_requests[:] = _antiflood_requests[-(max_entries // 2) :]
+
         # Record this request
         _antiflood_requests.append(now)
         count = len(_antiflood_requests)