fix(#377): remediate code review and security findings

- Fix sendThreadMessage room mismatch: use channelId from options instead of hardcoded controlRoomId
- Add .catch() to fire-and-forget handleRoomMessage to prevent silent error swallowing
- Wrap dispatchJob in try-catch for user-visible error reporting in handleFixCommand
- Add MATRIX_BOT_USER_ID validation in connect() to prevent infinite message loops
- Fix streamResponse error masking: wrap finally/catch side-effects in try-catch
- Replace unsafe type assertion with public getClient() in MatrixRoomService
- Add orphaned room warning in provisionRoom on DB failure
- Add provider identity to Herald error logs
- Add channelId to ThreadMessageOptions interface and all callers
- Add missing env var warnings in BridgeModule factory
- Fix JSON injection in setup-bot.sh: use jq for safe JSON construction

Fixes #377

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/bridge/bridge.module.ts

@@ -46,6 +46,16 @@ const logger = new Logger("BridgeModule");
         }
 
         if (process.env.MATRIX_ACCESS_TOKEN) {
+          const missingVars = [
+            "MATRIX_HOMESERVER_URL",
+            "MATRIX_BOT_USER_ID",
+            "MATRIX_WORKSPACE_ID",
+          ].filter((v) => !process.env[v]);
+          if (missingVars.length > 0) {
+            logger.warn(
+              `Matrix bridge enabled but missing: ${missingVars.join(", ")}. connect() will fail.`
+            );
+          }
           providers.push(matrix);
           logger.log("Matrix bridge enabled (MATRIX_ACCESS_TOKEN detected)");
         }