fix: аудит — 19 фиксов безопасности, надёжности, UI и 16 новых тестов

- S4: bump jinja2>=3.1.4, python-multipart>=0.0.18, httpx>=0.28.0
- S5: _detect_ecosystem — DEFAULT_ECOSYSTEM для неизвестных форматов
- S6: harvester — log.exception() вместо log.error()
- S8: _scan_component — urlencode параметров
- P1: scanner — proc.kill() при таймауте
- P3: api_packages — selectinload(Scan.findings), убран N+1
- P4+P5: утечка _url_locks и _llm_locks при early return
- P6: DB reaper — сброс {'status':'analyzing'} при старте
- UI: htmx-пагинация, фильтры не теряют flagged, 404 с layout
- UI: мобильные таблицы overflow-x, полная стата на дашборде
- UI: i18n статусов в _status_badge, urlencode package_name
- 16 новых тестов: analyze endpoint (6), scanner errors (4),
  webhook signature (2), llm client (4)

tests/test_webhooks.py

@@ -86,6 +86,7 @@ async def test_webhook_component_no_version(client, sample_nexus_component_webho
 
 # --- Ecosystem detection tests ---
 
+
 def test_detect_ecosystem_pypi():
     from guarddog_nexus.routes.webhooks import _detect_ecosystem
 
@@ -111,12 +112,13 @@ def test_detect_ecosystem_npm():
 def test_detect_ecosystem_unknown():
     from guarddog_nexus.routes.webhooks import _detect_ecosystem
 
-    assert _detect_ecosystem({"format": "maven"}) == "maven"
+    assert _detect_ecosystem({"format": "maven"}) == "pypi"  # unknown → default
     assert _detect_ecosystem({}) == "pypi"  # default
 
 
 # --- Go/npm webhook integration ---
 
+
 @pytest.mark.asyncio
 async def test_webhook_go_asset(client, sample_nexus_go_webhook):
     with patch("guarddog_nexus.routes.webhooks._scan_in_background") as _mock:
@@ -131,3 +133,34 @@ async def test_webhook_npm_asset(client, sample_nexus_npm_webhook):
         resp = await client.post("/webhooks/nexus", json=sample_nexus_npm_webhook)
         assert resp.status_code == 200
         assert resp.json()["status"] == "accepted"
+
+
+# --- Webhook signature validation ---
+
+
+@pytest.mark.asyncio
+async def test_webhook_missing_signature_when_required(client, sample_nexus_webhook):
+    import guarddog_nexus.config
+
+    guarddog_nexus.config.config.webhook_secret = "test-secret"
+
+    resp = await client.post("/webhooks/nexus", json=sample_nexus_webhook)
+    assert resp.status_code == 401
+
+    guarddog_nexus.config.config.webhook_secret = ""
+
+
+@pytest.mark.asyncio
+async def test_webhook_invalid_signature(client, sample_nexus_webhook):
+    import guarddog_nexus.config
+
+    guarddog_nexus.config.config.webhook_secret = "test-secret"
+
+    resp = await client.post(
+        "/webhooks/nexus",
+        json=sample_nexus_webhook,
+        headers={"X-Nexus-Webhook-Signature": "badsignature"},
+    )
+    assert resp.status_code == 403
+
+    guarddog_nexus.config.config.webhook_secret = ""