fix: P0 review fixes for the Rust control plane (#344 review)

[Zygimantass]

Fixes the low-effort/high-reward (P0) findings from the code review of #344, one commit per finding.

Correctness

• Execution claim race — mark_execution_running treated an already-running row as a successful claim, so a concurrent request with the same idempotency key could send the same input to the sandbox twice. It now returns a claimed flag set only by the actual queued→running transition, and the runtime only drives the execution when it owns the claim.
• absurd.await_event task/run mismatch — the function never verified p_run_id belongs to p_task_id, so a mismatched call could attach one task's run to another task's wait/checkpoint and put the wrong task to sleep. Added the same guard get_task_checkpoint_states already had. Shipped as migration 0009 (create or replace) rather than editing 0007, since 0007 is applied in live environments and sqlx validates migration checksums.
• Warm pool handed out not-ready sandboxes — Created sandboxes (not ready for byte I/O) were claimable and failed later at open_io. Since backends wait for readiness before the replenisher records a sandbox, Created at claim time means the runtime regressed: it is now marked failed and the next one is tried.
• Grant idempotency — grant_inputs_to_role documented idempotency but always POSTed a new grant; re-running centaur-perms … grant or startup role registration duplicated grants or conflicted. It now reuses the role's existing grant per secret.

Security

• Empty hosts ⇒ unscoped secret — an HTTP tool secret parsed with an empty hosts list emitted an empty iron-control rules array, leaving the credential host-unlimited. Both manifest parsers (centaur-perms and the api-server tool-discovery mirror) now fail closed, matching the existing brokered_token behavior.
  • ⚠️ tools/infra/grafana/pyproject.toml declares hosts = [] and is the one in-repo tool relying on the old behavior: it is now warn-skipped at discovery and errors in centaur-perms until real hosts are declared. Someone who knows the deployment's Grafana/VictoriaMetrics hostnames should add them.

Bot / rendering

• Lost final answers — codexAppServerToRendererEvents never called mapper.flush(), so finite sources ending without a terminal event lost buffered answer text and never got renderer.done. Now flushes like the streaming variant (regression test included, verified red-without-fix).
• Unbounded attachment buffering — Slack attachments were downloaded into memory and base64-inlined with no limit. Now capped at 100 MiB, checked against Slack's size metadata before downloading and re-checked on actual bytes; oversized attachments degrade via the existing fetchError channel.
• Recovery scan aborted on first failure — one corrupt obligation or render error stopped startup recovery for all remaining threads until the next restart. Each thread is now isolated, logged (slackbotv2_render_recovery_thread_failed), and deferred to the capped-backoff retry loop.

CI

• Fork PR builds failed at cache export — cache-to: type=registry pushes a cache manifest to GHCR even with push: false, and fork PRs run with a read-only token. The registry cache export is now gated on the same not-a-fork predicate as push.

Verification

• cargo check / cargo test on all touched crates (135 tests), cargo fmt --check, no new clippy warnings
• bun test + tsc --noEmit for packages/rendering (18) and services/slackbotv2 (22)
• Migrations 0001→0009 applied to a disposable Postgres 16; functional smoke test of the new guard: mismatched (task, run) raises does not belong, matched pair passes the guard and fails on the pre-existing must be running check
• actionlint on the workflow change