Security hardening from audit

[DROOdotFOO]

Summary

Security hardening pass based on audit against 2026 threat landscape ($482M stolen YTD, 76% infrastructure attacks).

Critical/High fixes:

• API key timing leak: pad buffers to equal length before timingSafeEqual
• Circuit breaker auto-reset: resumes after 24h window elapses instead of requiring manual intervention
• Rate limiter: exported class, 8 new tests (tests/rate-limiter.test.ts)
• Health check /status now rate-limited
• Type-safe receipt handling: replaced as unknown as Record casts with runtime guards
• Reject zero-amount transfers (regex ^[1-9]\d*$)
• Audit log file created with 0o600 permissions

Noir contract hardening:

• initialize_public_state and apply_limits validate daily_limit >= max_per_tx and u64 range
• New reset_daily_spent() admin function for epoch stall recovery
• Artifact recompiled with nargo compile

Production readiness:

• Docker HEALTHCHECK (30s interval, curl /status)
• Non-localhost bind warning (recommends TLS reverse proxy)
• TODO.md updated with security hardening section

Test plan

• npm run typecheck -- clean
• npm test -- 127/127 pass (8 files, including new rate-limiter tests)
• nargo compile -- Noir artifact valid (1.65MB)
• Bloo reviews Noir contract changes (limit validation, admin reset)
• Verify Docker build with HEALTHCHECK