Security: harden API ingress and CI scanning

[samrusani]

Summary

This PR hardens the public API entrypoints and the repository security posture without changing the control docs.

What changed

• adds deterministic entrypoint rate limiting for magic-link start/verify and Telegram webhook ingress
• adds configurable CORS, security headers, and trusted-proxy handling for the API
• hides magic-link challenge tokens outside development and requires configured Telegram webhook ingress outside development
• adds security posture integration coverage and expands unit/integration coverage for the new config and rate-limiter behavior
• adds GitHub security automation with Dependabot, Gitleaks, and CodeQL
• tightens npm publish workflow permissions and serializes publish runs

Verification

• ./.venv/bin/python -m pytest tests/unit/test_config.py tests/unit/test_main.py tests/integration/test_http_security_posture.py tests/integration/test_phase10_identity_workspace_bootstrap_api.py tests/integration/test_phase10_telegram_transport_api.py -q
• result: 83 passed in 7.10s

Notes

• This branch was merged under explicit user override of the normal packet/report alignment policy for this repo.