feat: add push notification deep link allowlist and payload schema enforcement (#664)

[AlphaMaleBaDI]

Closes #664

Summary

Adds defense-in-depth validation for push notification navigation payloads.

This change introduces notification payload schema validation with Zod together with a notification screen allowlist to prevent untrusted notification payloads from triggering unintended navigation.

Changes

• Added NOTIFICATION_SCREEN_ALLOWLIST in src/config/security.ts

• Added screenName to NotificationData

• Added Zod validation for notification payloads before navigation

• Blocked navigation for non-allowlisted screens

• Logged rejected notification payloads to Sentry as warnings

• Preserved existing notification routing behavior (screenName acts only as a security gate)

• Added unit tests covering:

  • allowlisted screen
  • blocked screen
  • malformed payload
  • missing screenName
  • payload validation

Notes

This implementation intentionally treats screenName as a validation gate rather than a navigation override. Existing notification routing remains unchanged while preventing navigation initiated from untrusted notification payloads.

[drips-wave]

@AlphaMaleBaDI Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[AlphaMaleBaDI]

Design Note

Existing notification routing behavior is preserved.

The optional screenName field is treated as a security validation gate, not as a navigation override. When present, it must pass both Zod schema validation and the notification screen allowlist before the notification continues through the existing notification-type routing logic. This prevents untrusted notification payloads from influencing navigation while preserving the application's established behavior.

[RUKAYAT-CODER]

Thank you for contributing to the project.