chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it)
- Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak)
- Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup)
- Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s
- Q9: disabled failing syncoid-donatello timer on Z

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

lib/api/routes/capture.js

@@ -67,8 +67,12 @@ router.post('/upload',
       return res.status(400).json({ error: { code: 'validation_failed', message: 'file required' } });
     }
     const space_id = req.body.space_id;
-    if (!space_id) {
-      return res.status(400).json({ error: { code: 'validation_failed', message: 'space_id required' } });
+    if (!z.string().uuid().safeParse(space_id).success) {
+      return res.status(400).json({ error: { code: 'validation_failed', message: 'space_id must be a UUID' } });
+    }
+    const { rowCount } = await pool.query('SELECT 1 FROM spaces WHERE id=$1', [space_id]);
+    if (!rowCount) {
+      return res.status(404).json({ error: { code: 'not_found', message: 'space not found' } });
     }
     let meta = {};
     if (req.body.meta) {