security: fix sandbox bypass, env race, and unsafe SAFETY docs

[BunnyMoth]

##Security fixes — sandbox bypass, env race condition, unsafe docs

Note: commit 2cc8041 (lettre CVE fix) overlaps with #1208 which was
already open. Happy to rebase and drop that commit if preferred —
the remaining 6 commits are independent fixes.

Changes

HIGH: Workspace sandbox bypass in media tools

tool_media_describe and tool_media_transcribe bypassed the workspace
sandbox entirely, allowing agents to read arbitrary host files. Both
now use resolve_file_path the same way all other file tools do.

HIGH: std::env::set_var/remove_var in async Axum handlers

Process environment was being used as a live config store from
multi-threaded request handlers — undefined behaviour under concurrent
requests and a compile error on Rust 1.81+. Replaced with
RwLock<HashMap<String, String>> in AppState, pre-populated from
resolve_credential at startup.

LOW: Missing SAFETY comment on libc::kill

Documented the three invariants: PID origin, Mutex guard, and
ESRCH no-op case.

Fix: rustfmt and missing api_keys in test AppState initializers

cargo fmt and test file updates to match the new AppState field.

Fix: TOCTOU and staging collision in clawhub.rs

• Replaced nanosecond timestamp suffix with uuid in staging dir name
• Replaced remove_dir_all + rename with atomic three-step rename
  sequence that never leaves the slot empty

Perf: reuse reqwest::Client across WASM host calls

Moved client into GuestState — created once, shared across all
host calls via connection pool.

Security: harden WhatsApp gateway

• Bearer token auth on all endpoints
• Removed Access-Control-Allow-Origin: *
• Restricted auth_store directory to 0o700 on Linux/Mac
• Generic error responses — raw err.message no longer leaked
• PII redaction in logs — phone numbers show last 4 digits only
• Removed deprecated printQRInTerminal: true
• Renamed session_id → connection_id

Chore: package-lock.json for WhatsApp gateway

Pins dependency tree, npm audit confirms 0 vulnerabilities.

Fix: lettre CVE (RUSTSEC-2026-0141)

Bumped lettre 0.11.21 → 0.11.22. Fixes TLS hostname verification
bypass (severity 9.1). cargo audit now reports 0 vulnerabilities.

[BunnyMoth]

Hi — I'm aware this PR is broader than the one-concern guideline in
CONTRIBUTING.md. The commits break down into roughly four concerns:

1. Security fixes (sandbox bypass, env race, SAFETY docs) — commits b829ab0, f8498f7
2. Code quality (TOCTOU, reqwest pooling, validate_path, doc comments) — commits 0a4ec79, 1e5f3c0, bf571a7, 57493b4
3. WhatsApp gateway hardening + package-lock — commits 642e7ae, 5d92039
4. Dependency + CI (lettre CVE, clippy --all-targets, npm audit, Zeroizing, SECURITY.md) — commits 2cc8041, ab62603, 80d6aac

Happy to split into separate PRs if that makes review easier. Also
opening a separate PR for the WASM sandbox fixes (Gap A/B/C/D) which
came after this PR was opened.

Let me know how you'd like to proceed.

[BunnyMoth]

Closing this in favour of focused PRs as per CONTRIBUTING.md guidelines:

• security: fix workspace sandbox bypass, env race condition, and unsafe SAFETY docs #1244 — security: workspace sandbox bypass, env race, unsafe SAFETY docs
• fix: TOCTOU staging fix, reqwest pooling, validate_path cleanup, doc comments #1245 — fix: TOCTOU, reqwest pooling, validate_path, doc comments
• security: harden WhatsApp gateway — bearer auth, CORS, error redaction, PII logs #1246 — security: WhatsApp gateway hardening
• fix: bump lettre CVE (RUSTSEC-2026-0141) and improve CI coverage #1247 — fix: lettre CVE + CI improvements

WASM sandbox fixes (Gap A/B/C/D) will follow once the above are reviewed.