[codex] Fix authz, scope propagation, and shell-injection bugs

[jmecom]

Summary

This PR fixes the authz, scope-propagation, and shell-injection vulnerabilities identified in the recent security review, and adds regression coverage for each fix.

What changed

• prevent non-bootstrap callers from minting child tokens with scopes outside the caller context
• require workflow ownership for workflow mutation/trigger paths and keep channel-bound workflows from sending outside their bound channel
• preserve token channel restrictions across aggregate REST endpoints and WebSocket session handling
• require API-token WebSocket auth to present a valid NIP-42 proof before token verification
• re-check workflow execution against the owner/channel access context used at run time
• stop managed-agent discovery from interpolating attacker-controlled command strings into a login shell
• add regression tests covering each vulnerability class

Root cause

The main issue was incomplete mediation after authentication: once a caller was authenticated, several paths dropped delegated token/channel context or failed to bind the action to the specific protected resource. The desktop issue was separate: command lookup treated user-controlled input as shell syntax instead of data.

Validation

• cargo test -p sprout-auth --lib
• cargo test -p sprout-workflow --lib
• cargo test -p sprout-relay --lib
• cargo test --manifest-path desktop/src-tauri/Cargo.toml --lib

[wesbillman]

@tlongwell-block this one might be good for you to review