[S7] Security hardening and audit

[krakenhavoc]

Description

Security review and hardening of the entire GitHub integration.

Checklist

• Webhook signature verification uses timing-safe comparison
• OIDC JWT validation checks: signature, expiry, audience, issuer
• No secrets (API keys, private keys, tokens) appear in any log output
• All external input (webhook payloads, config files, API params) validated with Zod
• GitHub API tokens are short-lived and properly scoped
• Database queries use parameterized queries (TypeORM handles this)
• Webhook delivery ID deduplication prevents replay attacks
• Error responses don't leak internal details
• libsodium encryption for GitHub secrets is correct
• Rate limiting on manual reconciliation endpoint
• CORS and content-type validation on webhook endpoint

Acceptance Criteria

• All checklist items verified
• No HIGH/CRITICAL findings
• Any accepted risks documented