chore: tune ZAP DAST scan -- auth, timeouts, rules, report artifacts

[Aureliolo]

Summary

The weekly ZAP DAST scan (.github/workflows/dast.yml) needs tuning. Issue #760 keeps getting updated with noise because the rules file doesn't suppress all triaged alerts, and the scan only covers unauthenticated endpoints.

Changes

1. Fix issue noise (closes #760)

• Change rule 10049 (Storable/Cacheable Content) from WARN to IGNORE
• Add rule 10104 (User Agent Fuzzer) as IGNORE
• Add rule 90005 (Sec-Fetch-* Headers Missing) as single IGNORE entry (already present but only covers one sub-alert)
• Once all alerts are IGNORE'd, the action auto-closes ZAP API Scan Report #760

2. Add JWT authentication

• Generate a long-lived test JWT before the scan
• Pass via ZAP_AUTH_HEADER/ZAP_AUTH_HEADER_VALUE/ZAP_AUTH_HEADER_SITE env vars
• Unlocks scanning of all authenticated endpoints (currently all return 401/403)

3. Performance and timeout controls

• -T 20 -- cap ZAP startup + passive scan at 20 min
• scanner.threadPerHost=5 -- faster on localhost
• scanner.maxRuleDurationInMins=5 -- no single rule dominates
• scanner.maxScanDurationInMins=30 -- hard cap on active scan

4. Report artifacts

• -J report.json -- machine-parseable output
• -r report.html -- rich human-readable report

5. Promote critical rules to FAIL

• SQL Injection (40018), OS Command Injection (90020), SSRF (40046), XXE (90023) set to FAIL
• Prepares for eventual fail_action: true

6. Close #760

Once the rules are updated, the ZAP action will auto-close #760 on the next run.