Fix security vulnerabilities and add Docker security hardening

[maximmasiutin]

Summary

Comprehensive security fixes addressing multiple CWE vulnerabilities and Docker hardening.

Fixes

Critical Security (CWE)

• CWE-362 Race Condition: Add C11 atomics for thread-safe g_found_secret access
• CWE-476 NULL Dereference: Add NULL checks after strtok() for malformed JWT input
• CWE-190 Integer Overflow: Replace atoi() with strtol() with validation (range 1-1000)
• CWE-208 Timing Attack: Replace memcmp() with constant-time comparison function
• CWE-252 Unchecked Return: Add NULL checks for all 7 malloc() calls
• CWE-121 Stack Overflow: Replace VLA with heap allocation for thread data array

Base64 Fix

• Base64URL Support: Accept both + and - for index 62 per RFC 4648

Docker Security

• Non-root USER: Add unprivileged user in Dockerfile and Dockerfile.test
• OpenSSL CVEs: Add apk upgrade to patch CVE-2025-9230, CVE-2025-9231, CVE-2025-9232
• Remove redundant build: Single make command (macOS paths removed)
• Shell quoting: Fix $@ to "$@" in entrypoint.sh

Testing & CI

• Valgrind tests: Add Dockerfile.test with memory leak and race detection
• Security test suite: Add test_security.sh verifying all fixes
• Trivy scanning: Add GitHub Actions workflow for container scanning
• Documentation: Add FIXES-PROPOSED.md and FIXES-PROPOSED-v2.md