[Security] Enable CFI/LTO Hardening and Automated SBOM Generation

[somethingwithproof]

Summary

Hardening the binary against exploit vectors and providing transparency into the software supply chain.

Work

• Control Flow Integrity (CFI): Ensure that function pointers in the poller cannot be hijacked.
• Link-Time Optimization (LTO): Enable LTO in the CI for cross-file inlining and improved static analysis.
• Automated SBOM (CycloneDX/SPDX): Generate a Software Bill of Materials in the GHA pipeline to instantly track vulnerable versions of OpenSSL or MySQL.
• Hermetic/Static Bundling: Link libmysqlclient and libnetsnmp statically for easier, conflict-free enterprise distribution.

Estimated Effort: 32–50 man-hours.

Acceptance Criteria

• Work items are implemented and validated.
• Changes preserve behavior unless explicitly intended.

[somethingwithproof]

SBOM generation implemented in PR #512 (release-verification.yml with anchore/sbom-action). LTO added as a CI build variant in the nightly pipeline. CFI requires Clang LTO which isn't compatible with the current autotools build; deferring to a future modernization pass.