feat: security hardening and API validation quick wins

- Wire Zod schemas into BagsClient for all API response parsing

- Add Content-Security-Policy header to security headers hook

- Default CORS to restrictive (deny-all when CORS_ORIGINS not set)

- Add Bags API health check to /health/ready endpoint

- Add Solana pubkey validation (base58 pattern) on all wallet route params

- Add ownerWallet validation on strategy creation

- Bump pino to ^10.0.0 and pino-pretty to ^13.0.0 to match installed versions

Author: Matt-Aurora-Ventures