#20106: security: MAESTRO threat mitigations (LM-001, SC-003, AF-005, DI-006, EO-004, AE-001)

Implements 6 MAESTRO security mitigations: LM-001 prompt injection detection, SC-003 pairing rate limiting, AF-005/DI-006 Docker hardening, EO-004 HMAC log integrity, AE-001 skill scanner. See threat-assessment.md for details. <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds six MAESTRO security mitigations across Docker hardening, pairing rate-limiting, prompt injection detection, HMAC log integrity, and a skill content scanner. - **Docker hardening (AF-005/DI-006)**: Adds `security_opt: no-new-privileges` and `cap_drop: ALL` to both services in `docker-compose.yml`, and a metadata label to `Dockerfile.sandbox`. Straightforward and correct. - **Pairing rate limiter (SC-003)**: Introduces an in-process `PairingRateLimiter` in `pairing-store.ts`, but the rate-limit key is per (channel, code) — a brute-force attacker trying different codes would never trigger the lockout. Should key on channel alone or channel + source. - **Prompt injection blocking (LM-001)**: Adds `checkAndBlockSuspiciousContent()` in `external-content.ts`, but it is only called from the new `skills scan` CLI command — it is not yet wired into any actual LLM content pipeline. - **Log integrity (EO-004)**: New `log-integrity.ts` provides HMAC-SHA256 chaining for tamper-evident logs. Clean implementation, but has a correctness edge case (entries with a pre-existing "chain" property cause seal/verify mismatch) and no callers or tests yet. - **Skill scanner (AE-001)**: Adds `openclaw skills scan` subcommand that reads skill files and checks them against prompt injection patterns. Uses unnecessary type assertions that weaken type safety. <h3>Confidence Score: 3/5</h3> - PR is mostly additive with low regression risk, but the rate limiter has a design flaw that undermines its stated security goal. - Docker hardening changes are safe. The rate limiter's per-(channel, code) keying doesn't prevent brute-force enumeration across codes, defeating its purpose. Log integrity has a correctness edge case. New modules lack tests and callers. - src/pairing/pairing-store.ts (rate limiter design flaw), src/security/log-integrity.ts (seal/verify mismatch edge case, no tests) _{Last reviewed commit: 7595180} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->