fix: address four peer-reachable security issues

[CoderZhi]

Summary

Four independent HIGH-severity issues reachable by any peer, fixed
together because they all live on the unauthenticated network surface:

• nodeinfo: HandleNodeInfo dereferenced msg.Info without a nil
  check, so any peer broadcasting NODE_INFO with Info=nil crashed
  the receiving node. Guard msg / msg.Info up front.
• actsync: ActionSync.actions was an unbounded sync.Map keyed by
  hash. Flooding forged ACTION_HASH messages drove the map to OOM,
  and the periodic triggerSync amplified the flood into per-hash
  unicast requests to neighbors. Cap live entries at cfg.Size via an
  atomic counter; LoadOrStore / LoadAndDelete refund the slot on
  dedup and on receipt.
• server/itx: the admin mux (/pause, /unpause, /producer-keys,
  pprof) bound to all interfaces on :HTTPAdminPort. Any host reachable
  on that port could halt block production with an unauthenticated
  POST /pause. Bind to 127.0.0.1 only.
• actpool: the pool is sharded into 16 workers by
  addr.Bytes()[last]%16. The MaxNumActsPerPool full-check was global
  but the eviction (worker.accountActs.PopPeek) ran on the receiving
  worker's local shard. Filling one shard with gapped future-nonce
  min-fee spam from grinded same-shard accounts forced honest senders
  in the other 15 shards to evict their own actions while the attacker
  paid nothing. Add popLowestPriorityAcrossWorkers, which locks all
  workers in index order and evicts the globally-lowest-priority head,
  matching accountPriorityQueue.Less.

Why grouped

Each fix is small, but separating them creates four parallel branches
on the same hardening pass. They were all surfaced together as
peer-reachable HIGH-severity findings. None of them depend on each
other; bisecting is straightforward (each fix is isolated to its own
file/package).

Deadlock analysis (actpool)

popLowestPriorityAcrossWorkers is the only multi-worker.mu site in
the package. It acquires all 16 worker mutexes in a fixed index order;
every other call site holds at most a single worker's mutex. Therefore
no cycle can form. removeInvalidActs (which fires subscriber
onRemoved callbacks) now runs outside the worker-mu region; the
prior code held the local worker mutex while firing those callbacks,
so this change is strictly safer for subscriber re-entrancy.

Test plan

• go test ./actpool/ ./actsync/ ./nodeinfo/ -race — 107 pass
• go build ./... — clean
• nodeinfo — nil_msg_and_nil_info no-panic case
• actsync — flood capacity, duplicate dedup, concurrent flood
  respects cap under -race
• actpool — direct global-pop unit, headLess truth table
  mirroring accountPriorityQueue.Less, end-to-end Add cross-shard
  eviction, ErrTxPoolOverflow when newcomer is globally lowest,
  concurrent multi-shard stress for deadlock detection (-race)
• CI green

Notes for reviewers

• The admin-mux change drops external reachability of the admin
  endpoints. Anyone using /ha, /producer-keys, or pprof over the
  network will need an SSH tunnel or a sidecar proxy instead. Default
  config disables the admin port (HTTPAdminPort: 0), so production
  nodes that haven't opted in are unaffected.
• Under sustained pool overflow the global eviction briefly serializes
  all 16 workers. Overflow is the rare path; the alternative (per-shard)
  is the bug being fixed.
• The actpool global full-check is read-then-act and can transiently
  overshoot MaxNumActsPerPool under concurrency. This is pre-existing
  behavior and not introduced by this PR.

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate failed

Failed conditions
16.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud