chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it)
- Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak)
- Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup)
- Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s
- Q9: disabled failing syncoid-donatello timer on Z

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

lib/db/pool.js

@@ -5,7 +5,10 @@ import { log } from '../log.js';
 export const pool = new pg.Pool({
   connectionString: process.env.DATABASE_URL,
   max: 10,
-  idleTimeoutMillis: 30_000
+  idleTimeoutMillis: 30_000,
+  // Server-side cap so a pathological query can't pin a connection indefinitely.
+  // Generous enough for migrations + hybrid search on this homelab-scale DB.
+  statement_timeout: 30_000
 });
 
 // An idle pooled client can emit 'error' (DB restart, replication failover on