security: harden device management and CI publishing

[usagi917]

Summary

• fail closed when OTA PSK is not provisioned and require the same Bearer PSK for OTA/WASM management endpoints
• require an admin token for Rust sensing server state-changing model, recording, training, adaptive, and calibration endpoints
• sanitize recording ids and remove tracked CSI/vitals recordings plus local daemon state from git
• stop PR builds from publishing GHCR images, pin previously mutable security actions, and remove shell-form container startup/root runtime

Verification

• git diff --cached --check
• ruby YAML load for .github/workflows/ci.yml, .github/workflows/security-scan.yml, docker/docker-compose.yml
• python3 -m py_compile v1/src/api/main.py
• grep checks for remaining @master/@main refs and tracked recording data

Notes

• cargo and rustfmt are not installed in this local environment, so Rust compile/format verification is left to CI.
• Removing tracked recordings in this PR does not scrub existing git history. If the repo has already been public, rotate/assess exposure and clean history with git filter-repo or BFG before treating the data as fully removed.