Use selected fields from app in context to avoid secrets

[Jamstah]

The app struct includes sensitive data that the handlers don't necessarily need access to, so remove it from the context, and don't pass the app in place of contexts.

Where handlers do need configuration data from the app, store it in the handler's own struct instead of relying on it being in context.

[Jamstah]

This "fixes" some false positives from CodeQL discussed here: github/codeql#16486

There's one thing I'm unsure about - the repo remover currently in handlers.Context is an instance of a distribution.Namespace that supports the remover interface. As its the distribution.Namespace instance that contains the potential secrets, this PR removes it from the context.

The repo remover that we stored in handlers.Context never gets used in the codebase, but it is exported, so that may be considered a breaking change to the API... but I'm not super familiar with how that works for consumers.

[Jamstah]

An alternative to this PR is to just mark the false positives as such, but I'd already done this work as part of investigating, and I believe that cleaning up our contexts is something we're interested in doing anyway.