feat: biometric auth hardening and webhook event catalog

[gidson5]

Summary

• Implement biometric authentication hardening with device-bound keys #552: Hardened biometric authentication — exponential backoff lockout (3 failures → 3min, 6 → 10min, 9 → 30min), DeviceAttestationService with root/jailbreak detection, device-bound key pair tracking, bcrypt PIN hash storage (6+ digits), enrollment change detection, BiometricPolicy type, authenticateHardened() with lockout enforcement, useDeviceIntegrity hook with 24h cached attestation
• Implement subscription lifecycle webhook event catalog #570: Comprehensive webhook event catalog (35 events) — subscription.* (13 events), payment.* (7 events), invoice.* (5 events), trial.* (4 events), usage.* (3 events), plan.* (4 events); EventCatalogRegistry with wildcard filtering (subscription.*), EventSchemaValidator with typed field validation, EventReplayWorker with per-subscription ordering guarantee and idempotency key deduplication, event versioning with Deprecation/Sunset/Link headers, expanded WebhookEventType union

Closes #552
Closes #570

Test plan

• BiometricService: authenticateHardened() returns lockout error after 3 failures, resets on success
• DeviceAttestationService: checkIntegrity() returns isIntact/isRooted/isEmulator, cached for 24h
• PIN hash: stored and verified via setPinHash/verifyPin
• EventCatalogRegistry: 35 events registered, getByCategory('payment') returns 7 events, wildcard subscription.* matches 13 events
• EventSchemaValidator: rejects missing required fields, rejects wrong types, generates examples
• EventReplayWorker: replays events in chronological order per subscription, skips already-delivered idempotency keys

🤖 Generated with Claude Code

[drips-wave]

@gidson5 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits