Security hardening: endpoint auth, rate limiting, input validation

[softberries]

Summary

Comprehensive security hardening based on a full audit of all exposed endpoints and authentication mechanisms.

• Error sanitization — Sqlx and Git error variants now return generic "Internal server error" to clients instead of leaking database/git internals. Real errors logged server-side via tracing::error!
• CORS enforcement — CORS_ORIGIN env var is now required; app fails to start if missing. Removed the CorsLayer::permissive() fallback that allowed any origin
• GitHub webhook verification — HMAC-SHA256 signature verification using X-Hub-Signature-256 header. Requires GITHUB_WEBHOOK_SECRET env var
• Rate limiting — Per-IP rate limiting via tower-governor: auth endpoints (login, register, device auth) at 10 req/min, other public endpoints at 60 req/min. Authenticated endpoints have no rate limiting
• Email validation — Basic format validation (local@domain.tld) on registration
• Password policy (NIST 800-63B) — 12-128 character length, no composition rules, reject passwords from a known-breached list (~50 entries, case-insensitive)

New environment variables

Variable	Required	Purpose
CORS_ORIGIN	Yes	Allowed CORS origin (e.g., http://localhost:4000)
GITHUB_WEBHOOK_SECRET	Yes	HMAC secret for GitHub webhook signature verification

Test plan

• 158 tests passing (114 unit + 44 integration)
• cargo fmt clean
• cargo clippy -- -D warnings clean
• Verify .env has both new env vars before running locally
• Verify GitHub webhook secret matches what's configured in GitHub repo settings