Fix 21 Nextcloud Talk security and code quality issues

Complete security review and implementation of fixes for Nextcloud Talk
integration based on comprehensive security audit findings.

HIGH PRIORITY fixes (security-critical):
- ghostwright#1: Implement replay attack protection with LRU cache (5-minute TTL)
- ghostwright#2: Add 64KB request size limit before body buffering
- ghostwright#4: Replace Date.now() with crypto.randomUUID() for unique IDs
- ghostwright#7: Fix JSON unwrap logic for ActivityStreams Note objects
- ghostwright#11: Replace 'Error:' text sniffing with runtime error events

Logic and security fixes:
- ghostwright#3: Fix msgId/msg name collision in error handling
- ghostwright#5: Improve parseConversationId to handle colons in tokens
- ghostwright#6: Reject webhooks without target.id instead of silent fallback
- ghostwright#8: Normalize emoji to avoid variation selector validation issues
- ghostwright#9: Handle 404/409 reaction responses as success conditions
- ghostwright#10: Make setReaction return boolean for proper error handling
- ghostwright#12: Improve bot loop guard with actorId checking

Best practices and polish:
- ghostwright#13: Make port configurable instead of hardcoded 3200
- ghostwright#14: Move webhookPath default normalization to constructor
- ghostwright#15: Fix health check path precedence (check webhook first)
- ghostwright#16: Add exponential backoff retry for 5xx/429 responses
- ghostwright#17: Add URL validation and encoding for talkServer config
- ghostwright#18: Document HMAC signing asymmetry (inbound vs outbound)
- ghostwright#20: Import randomUUID explicitly from node:crypto
- ghostwright#21: Add reactions: true to channel capabilities
- ghostwright#22: Namespace environment variables with NEXTCLOUD_ prefix

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: imonlinux

.env.example

@@ -124,8 +124,8 @@ ANTHROPIC_API_KEY=
 # OPTIONAL: NextCloud Talk (webhook)
 # ========================
 # NEXTCLOUD_SHARED_SECRET=
-# ROOM_TOKEN=
-# TALK_SERVER=nextcloud.server.com
+# NEXTCLOUD_ROOM_TOKEN=
+# NEXTCLOUD_TALK_SERVER=nextcloud.server.com
 
 # ========================
 # OPTIONAL: Secret Encryption

config/channels.yaml

@@ -9,6 +9,6 @@ slack:
 # nextcloud:
 #  enabled: true
 #  shared_secret: ${NEXTCLOUD_SHARED_SECRET}
-#  talk_server: ${TALK_SERVER}
-#  room_token: ${ROOM_TOKEN}
+#  talk_server: ${NEXTCLOUD_TALK_SERVER}
+#  room_token: ${NEXTCLOUD_ROOM_TOKEN}
 #  webhook_path: /nextcloud/webhook