fix(registry): security hardening, test coverage expansion, and CI/CD fixes

- Fix 29 security audit findings: constant-time comparisons for API keys
  and internal secrets, CORS origin allowlist, algorithm pinning on JWKS
  (RS256/ES256), API key expiry enforcement, trusted proxy for X-Forwarded-For,
  input validation (package names, versions, file extensions), .whl ZIP
  validation, upload size limits, UNIQUE NULLS NOT DISTINCT constraint
- Expand test suite to 76.4% coverage (from ~40%): add tests for auth
  middleware, RequireAuth, API key handling, JWT/JWKS, config loading,
  DB queries, packages, PyPI index, users, search, docker, email,
  webhooks, orgs, middleware, storage, and health endpoints
- Add CLI registry commands (hivemind reg): login, logout, whoami,
  publish, search, info, versions, yank, test
- Fix CI workflows: Go 1.22->1.24 (matching go.mod), add DATABASE_URL
  for test job, switch web build from npm to bun
- Fix Dockerfiles: API golang:1.22->1.24, web node/npm->bun
- Add device auth flow, scoped API routes (read/publish), download
  tracking, MinIO/LocalStack S3 support, production config validation
- Add deploy docs (DEPLOY.md), security docs (SECURITY.md),
  .env.prod.example with JWKS/internal secret/env documentation

Author: rithulkamesh