fix(backend): address all CodeRabbit security and correctness issues

[Copilot]

Resolves a set of critical and major issues flagged by CodeRabbit on the initial backend implementation, spanning hardcoded secrets, resource leaks, race conditions, and flawed game logic.

Security

• Secrets: Removed hardcoded JwtSettings:Key, GitHub:ClientSecret, and GitHub:ClientId from appsettings.json; replaced with empty placeholders. Values must be supplied via environment variables or user-secrets.
• Fallback JWT key: Program.cs now throws InvalidOperationException at startup instead of silently using a known fallback key.

Resource & Error Handling

• IDisposable leaks: HttpRequestMessage instances in AuthController and GitHubService now use using var.
• GitHub upstream failures: Wrapped SendAsync/ReadFromJsonAsync in try-catch; added IsSuccessStatusCode guard before deserialization.
• Accept header ordering: In GitHubService.GetAccessToken, the Accept: application/json header is now set on the request before SendAsync (previously set on the shared client after the request had already been sent).

Game Logic & Data Integrity

• Self-award XP prevention: claim now validates the issue exists and IsActive in the database; submit derives the reward from Issue.XPReward rather than a hardcoded 30.
• TOCTOU duplicate claim: Added a filtered unique index (UserId, GitHubIssueId) WHERE Status='In Progress' via a new migration; SaveChangesAsync is wrapped to return 409 Conflict on key violation.
• Streak computation: Replaced CurrentStreak += 1 on every submit with date-aware logic using LastContributionDate — extends on consecutive days, resets on gaps, no-ops on same-day resubmits.
• Active quests filter: my-active-quests was returning all quests for a user; now filters to Status == "In Progress" only.

Schema

• GitHubId uniqueness: Added unique index on Users.GitHubId (the stable external identity) in the new AddUniqueConstraints migration, alongside the filtered quest index above.
• Package versions: Pinned 8.0.* wildcard versions to 8.0.13 for all EF Core and JWT packages.

API Shape

• Profile endpoint: GET /users/profile/{username} now returns a projected DTO instead of the raw EF entity graph, avoiding circular reference issues and inadvertent data exposure.

// Before — returns full entity with navigation properties
return Ok(user);

// After — returns an explicit public shape
var profile = new {
    user.GitHubUsername, user.AvatarUrl, user.ExperiencePoints,
    user.CurrentStreak, user.LastContributionDate,
    Contributions = user.Contributions.Select(c => new {
        c.CompletedAt, c.PullRequestUrl,
        Issue = c.Issue == null ? null : new { c.Issue.Title, c.Issue.RepoFullName, c.Issue.IssueUrl, c.Issue.Difficulty, c.Issue.XPReward }
    })
};
return Ok(profile);

• Label matching: GitHub label comparisons now use StringComparison.OrdinalIgnoreCase.
• GitHubIssueItem.Body: Made nullable (string?) to match GitHub API behaviour for empty issue bodies.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.