fix: deep review hardening pass

[pszymkowiak]

Summary

Triple-pass deep code review findings, fixed:

• Credentials: Replaced hand-rolled base64/hex with standard crates (removed 78 lines of custom crypto-adjacent code)
• Auth SQLite: All 28 .lock().unwrap() replaced with proper error propagation (no more runtime panics on mutex poisoning)
• Auth middleware: Token touch now logs errors instead of silently swallowing them
• Auth JWT: Added minimum 32-byte secret length validation
• Auth Postgres: Replaced fragile string-matching for duplicate detection with proper PostgreSQL error code 23505
• Config validation: Added validate() method checking compression level (1-22) and replication factor (>=1)
• SQL LIKE injection: Added escape_like() helper to escape %, _, \ in LIKE patterns
• Proxy passphrase: Switched from stdin echo to rpassword echo-suppressed input

Files changed (11)

• crates/enigma-core/src/config/credentials.rs — standard base64/hex
• crates/enigma-core/src/config/mod.rs — config validation
• crates/enigma-core/src/manifest/queries.rs — LIKE escape
• crates/enigma-auth/src/jwt.rs — secret length check
• crates/enigma-auth/src/middleware.rs — token touch logging
• crates/enigma-auth/src/store/sqlite.rs — mutex error handling
• crates/enigma-auth/src/store/postgres.rs — error code matching
• crates/enigma-proxy/src/main.rs — rpassword
• crates/enigma-proxy/Cargo.toml — rpassword dep
• crates/enigma-core/Cargo.toml — base64/hex deps