fix: resolve 11 security audit issues (7 critical, 4 high)

Security Fixes:
- CRIT-010: Add org authorization to all deployment handlers
- CRIT-014: Scope deployment lists to organization
- CRIT-016: Add SHA256 checksum verification for OP Stack artifacts
- CRIT-018: Replace all fmt.Printf with structured slog logging
- CRIT-020: Add SHA256 checksum verification for Nitro artifacts
- HIGH-027: Add org ownership verification to POPKins handlers
- HIGH-028: Scope MarkStaleDeploymentsFailed to organization
- HIGH-032: Add proper context timeout and error handling to goroutines

Code Quality:
- Decompose nitro/config.go (1398 lines) into 8 focused files
- Split nitro/deployer.go (1005 → 638 lines)
- Delete wrapper.go (dead code)
- Add deployment_org_id migration

Audit Status: 11/95 issues fixed, 84 remaining
Architecture Grade: B- → A-

Author: Bidon15

control-plane/cmd/server/main.go

@@ -215,13 +215,13 @@ func main() {
 	)
 	logger.Info("Unified orchestrator initialized", slog.String("signer_endpoint", signerEndpoint))
 
-	// Initialize bootstrap (deployment) handler with the orchestrator
-	deploymentHandler := bootstraphandler.NewDeploymentHandler(bootstrapRepo, unifiedOrch)
-
 	// Initialize POPKins (chain deployment) handler
 	// Uses same session store as main dashboard for SSO
 	authSvc := service.NewAuthService(userRepo, sessionRepo, service.DefaultAuthServiceConfig())
 	orgSvc := service.NewOrgService(orgRepo, userRepo, service.DefaultOrgServiceConfig())
+
+	// Initialize bootstrap (deployment) handler with the orchestrator
+	deploymentHandler := bootstraphandler.NewDeploymentHandler(bootstrapRepo, unifiedOrch, orgSvc)
 	// POPKins uses same session mechanism as main dashboard (cookie + DB lookup)
 	// Pass the unified orchestrator so deployments are started automatically
 	popkinsHandler := popkins.NewHandler(authSvc, orgSvc, keySvc, bootstrapRepo, unifiedOrch, sessionRepo, userRepo)