Fix: add explicit HTTP request timeout (default 30s)

[odesenfans]

Summary

Fixes security finding M3: aiohttp.ClientSession in make_p2p_service_client was constructed without an explicit timeout=, so callers silently inherited aiohttp's 5-minute total-timeout default. A hung or malicious P2P daemon could pin a client coroutine for up to 5 minutes per request, enabling trivial resource exhaustion / liveness attacks against client services.

Change

• Added an http_timeout: float = 30.0 parameter to make_p2p_service_client (seconds, total timeout — sane default for control-plane calls like identify / dial).
• Passed timeout=aiohttp.ClientTimeout(total=http_timeout) to the ClientSession constructor.

http_session = aiohttp.ClientSession(
    base_url=f"http://{http_host}:{http_port}/",
    timeout=aiohttp.ClientTimeout(total=http_timeout),
)

Behavior change (heads-up for callers)

This is a default behavior change:

• Before: no timeout= passed -> aiohttp's default of ClientTimeout(total=300) (5 minutes) applied.
• After: ClientTimeout(total=30) (30 seconds) applied.

Callers that legitimately need longer HTTP calls can override at construction time:

client = await make_p2p_service_client(
    service_name="my-service",
    http_timeout=120.0,  # seconds
)

To preserve the previous behavior exactly, pass http_timeout=300.0.

Out of scope

• No timeouts changed on the aio_pika / RabbitMQ side — message-queue connections have their own heartbeat/timeout semantics and are handled separately.
• No TLS or credential changes.

Test plan

• make_p2p_service_client(...) still works with no http_timeout argument (uses 30s).
• Passing http_timeout=... is honored by the resulting ClientSession.
• A non-responsive HTTP server causes identify() / dial() to raise asyncio.TimeoutError (or aiohttp equivalent) after ~30s instead of ~300s.