feat: Production readiness improvements for WHOOSH council formation

Major security, observability, and configuration improvements:

## Security Hardening
- Implemented configurable CORS (no more wildcards)
- Added comprehensive auth middleware for admin endpoints
- Enhanced webhook HMAC validation
- Added input validation and rate limiting
- Security headers and CSP policies

## Configuration Management
- Made N8N webhook URL configurable (WHOOSH_N8N_BASE_URL)
- Replaced all hardcoded endpoints with environment variables
- Added feature flags for LLM vs heuristic composition
- Gitea fetch hardening with EAGER_FILTER and FULL_RESCAN options

## API Completeness
- Implemented GetCouncilComposition function
- Added GET /api/v1/councils/{id} endpoint
- Council artifacts API (POST/GET /api/v1/councils/{id}/artifacts)
- /admin/health/details endpoint with component status
- Database lookup for repository URLs (no hardcoded fallbacks)

## Observability & Performance
- Added OpenTelemetry distributed tracing with goal/pulse correlation
- Performance optimization database indexes
- Comprehensive health monitoring
- Enhanced logging and error handling

## Infrastructure
- Production-ready P2P discovery (replaces mock implementation)
- Removed unused Redis configuration
- Enhanced Docker Swarm integration
- Added migration files for performance indexes

## Code Quality
- Comprehensive input validation
- Graceful error handling and failsafe fallbacks
- Backwards compatibility maintained
- Following security best practices

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

internal/gitea/webhook.go

@@ -1,6 +1,7 @@
 package gitea
 
 import (
+	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/hex"
@@ -12,6 +13,9 @@ import (
 	"time"
 
 	"github.com/rs/zerolog/log"
+	"go.opentelemetry.io/otel/attribute"
+	
+	"github.com/chorus-services/whoosh/internal/tracing"
 )
 
 type WebhookHandler struct {
@@ -43,26 +47,105 @@ func (h *WebhookHandler) ValidateSignature(payload []byte, signature string) boo
 }
 
 func (h *WebhookHandler) ParsePayload(r *http.Request) (*WebhookPayload, error) {
+	return h.ParsePayloadWithContext(r.Context(), r)
+}
+
+func (h *WebhookHandler) ParsePayloadWithContext(ctx context.Context, r *http.Request) (*WebhookPayload, error) {
+	ctx, span := tracing.StartWebhookSpan(ctx, "parse_payload", "gitea")
+	defer span.End()
+	
+	// Add tracing attributes
+	span.SetAttributes(
+		attribute.String("webhook.source", "gitea"),
+		attribute.String("webhook.content_type", r.Header.Get("Content-Type")),
+		attribute.String("webhook.user_agent", r.Header.Get("User-Agent")),
+		attribute.String("webhook.remote_addr", r.RemoteAddr),
+	)
+	
+	// Limit request body size to prevent DoS attacks (max 10MB for webhooks)
+	r.Body = http.MaxBytesReader(nil, r.Body, 10*1024*1024)
+	
 	// Read request body
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
+		tracing.SetSpanError(span, err)
+		span.SetAttributes(attribute.String("webhook.parse.status", "failed"))
 		return nil, fmt.Errorf("failed to read request body: %w", err)
 	}
+	
+	span.SetAttributes(attribute.Int("webhook.payload.size_bytes", len(body)))
 
 	// Validate signature if secret is configured
 	if h.secret != "" {
 		signature := r.Header.Get("X-Gitea-Signature")
-		if !h.ValidateSignature(body, signature) {
-			return nil, fmt.Errorf("invalid webhook signature")
+		span.SetAttributes(attribute.Bool("webhook.signature_required", true))
+		if signature == "" {
+			err := fmt.Errorf("webhook signature required but missing")
+			tracing.SetSpanError(span, err)
+			span.SetAttributes(attribute.String("webhook.parse.status", "signature_missing"))
+			return nil, err
 		}
+		if !h.ValidateSignature(body, signature) {
+			log.Warn().
+				Str("remote_addr", r.RemoteAddr).
+				Str("user_agent", r.Header.Get("User-Agent")).
+				Msg("Invalid webhook signature attempt")
+			err := fmt.Errorf("invalid webhook signature")
+			tracing.SetSpanError(span, err)
+			span.SetAttributes(attribute.String("webhook.parse.status", "invalid_signature"))
+			return nil, err
+		}
+		span.SetAttributes(attribute.Bool("webhook.signature_valid", true))
+	} else {
+		span.SetAttributes(attribute.Bool("webhook.signature_required", false))
+	}
+
+	// Validate Content-Type header
+	contentType := r.Header.Get("Content-Type")
+	if !strings.Contains(contentType, "application/json") {
+		err := fmt.Errorf("invalid content type: expected application/json")
+		tracing.SetSpanError(span, err)
+		span.SetAttributes(attribute.String("webhook.parse.status", "invalid_content_type"))
+		return nil, err
+	}
+
+	// Parse JSON payload with size validation
+	if len(body) == 0 {
+		err := fmt.Errorf("empty webhook payload")
+		tracing.SetSpanError(span, err)
+		span.SetAttributes(attribute.String("webhook.parse.status", "empty_payload"))
+		return nil, err
 	}
 
-	// Parse JSON payload
 	var payload WebhookPayload
 	if err := json.Unmarshal(body, &payload); err != nil {
+		tracing.SetSpanError(span, err)
+		span.SetAttributes(attribute.String("webhook.parse.status", "json_parse_failed"))
 		return nil, fmt.Errorf("failed to parse webhook payload: %w", err)
 	}
 
+	// Add payload information to span
+	span.SetAttributes(
+		attribute.String("webhook.event_type", payload.Action),
+		attribute.String("webhook.parse.status", "success"),
+	)
+
+	// Add repository and issue information if available
+	if payload.Repository.FullName != "" {
+		span.SetAttributes(
+			attribute.String("webhook.repository.full_name", payload.Repository.FullName),
+			attribute.Int64("webhook.repository.id", payload.Repository.ID),
+		)
+	}
+
+	if payload.Issue != nil {
+		span.SetAttributes(
+			attribute.Int64("webhook.issue.id", payload.Issue.ID),
+			attribute.String("webhook.issue.title", payload.Issue.Title),
+			attribute.String("webhook.issue.state", payload.Issue.State),
+		)
+	}
+
 	return &payload, nil
 }