security: Fix 10 vulnerabilities, remove 12 dead code instances

Critical fixes:
- Remove hardcoded admin/admin123 credentials from UserManager
- Enable JWT signature verification (was disabled for debugging)
- Redact secrets from /dev/config endpoint (was exposing os.environ)
- Remove hardcoded SSH admin/admin credentials from hardware service
- Add channel validation to prevent command injection in router interface

Rust fixes:
- Replace partial_cmp().unwrap() with .unwrap_or(Equal) to prevent
  NaN panics in 6 locations across core, signal, nn, mat crates
- Replace .expect()/.unwrap() with safe fallbacks in utils, csi_receiver
- Replace SystemTime unwrap with unwrap_or_default

Dead code removed:
- Duplicate imports (CORSMiddleware, os, Path, ABC, subprocess)
- Unused AdaptiveRateLimit/RateLimitStorage/RedisRateLimitStorage (~110 lines)
- Unused _log_authentication_event method
- Unused Confidence::new_unchecked in Rust
- Fix bare except: clause to except Exception:

https://claude.ai/code/session_01Ki7pvEZtJDvqJkmyn6B714

v1/src/api/main.py

@@ -380,10 +380,19 @@ if settings.metrics_enabled:
 if settings.is_development and settings.enable_test_endpoints:
     @app.get(f"{settings.api_prefix}/dev/config")
     async def dev_config():
-        """Get current configuration (development only)."""
+        """Get current configuration (development only).
+
+        Returns a sanitized view -- secret keys and passwords are redacted.
+        """
+        _sensitive = {"secret", "password", "token", "key", "credential", "auth"}
+        raw = settings.dict()
+        sanitized = {
+            k: "***REDACTED***" if any(s in k.lower() for s in _sensitive) else v
+            for k, v in raw.items()
+        }
         domain_config = get_domain_config()
         return {
-            "settings": settings.dict(),
+            "settings": sanitized,
             "domain_config": domain_config.to_dict()
         }