fix: harden API security

[thlaure]

Summary

• HMAC device token hashing: replaced plain SHA-256 with hash_hmac keyed by DEVICE_TOKEN_HASH_SECRET; authenticator auto-upgrades legacy tokens on first use so existing devices are not invalidated
• Fixed-window rate limiting: new FixedWindowEndpointRateLimiter (pessimistic DB lock, wrapInTransaction) applied to device registration (20/min), fall alert creation (6/min), and invite acceptance (5/10min)
• Invite code entropy: random_bytes(16) → 128-bit hex code (was 32-bit); column widened in migration
• FCM hardening: access token cached for up to 3540s; 10s timeout on OAuth + send calls; raw error body stripped from exception message
• Messenger dead-letter queue: failure transport switched from in-memory to Redis via MESSENGER_FAILED_TRANSPORT_DSN env var
• Trusted proxies: wired via TRUSTED_PROXIES env var so getClientIp() resolves correctly behind Caddy/Nginx
• instanceof guards: replaced assert() with explicit instanceof checks in all three state processors

Security issues resolved

ID	Severity	Issue
CRIT-02	Critical	Plain SHA-256 token hash
HIGH-04	High	No rate limit on device registration
HIGH-05	High	Weak invite code entropy
MED-04	Medium	assert() disabled in prod PHP config
MED-05	Medium	FCM error body leaked in exception
MED-06	Medium	No HTTP timeout on FCM calls
CC-05	Medium	Failed push messages permanently lost

Test plan

• make lint — 0 changes
• make analyse — 0 errors
• make rector — 0 changes
• make test — all pass, coverage ≥ 90%
• make test-behat — all scenarios pass
• Verify DEVICE_TOKEN_HASH_SECRET set in prod deployment secrets
• Verify MESSENGER_FAILED_TRANSPORT_DSN set in prod deployment secrets
• Verify TRUSTED_PROXIES matches actual proxy setup in prod

🤖 Generated with Claude Code