fix(security): harden review findings

[dongmucat]

What

• Restrict global namespace member listing to platform admins.
• Tighten CSRF bypasses to bearer-token requests and exact OAuth device POST endpoints.
• Fail closed for public/namespace-only publishing when the scanner is disabled.
• Add bounded CLI download and ZIP central-directory limits.
• Require a strong anonymous download cookie secret in release/staging config.
• Bind Vite dev server to loopback by default.
• Add dependency-review/CodeQL workflow coverage and script guardrails.

Why

Addresses the actionable findings from the 2026-06-10 security review against the latest main branch.

How

• Added backend checks, i18n messages, config validation, and targeted regression tests.
• Updated CLI package download/extraction paths to reject oversized responses and archives before extraction.
• Updated smoke expectations to match protected metrics/namespaces routes.
• Regenerated the checked-in OpenAPI schema after controller signature drift was detected.

Testing

• make test-backend-app: 533 tests, 0 failures/errors
• make typecheck-cli
• make lint-cli
• make test-cli: 329 pass / 0 fail
• make typecheck-web
• make lint-web
• bash scripts/tests/validate-release-config-test.sh
• bash scripts/tests/dev-web-host-test.sh
• bash scripts/tests/workflow-security-test.sh
• bash -n scripts/smoke-test.sh scripts/validate-release-config.sh scripts/tests/validate-release-config-test.sh scripts/tests/dev-web-host-test.sh scripts/tests/workflow-security-test.sh
• git diff --check
• Staging-equivalent isolated compose smoke: 15 passed / 0 failed

Note: direct Dockerfile.dev rebuild was blocked locally by Docker Hub TLS timeouts while pulling eclipse-temurin:21-jre-alpine. I verified the current rebuilt app.jar/web build in an isolated compose project using locally cached runtime images.