fix: address code and security review findings from Phase 2A

- Remove committed __pycache__ artifacts; add to .gitignore
- Wrap config JSON parse in try/except to prevent CLI crash on malformed config
- Add SSRF mitigation to webhook_adapter: reject non-http(s) schemes,
  refuse auth_token over cleartext to non-localhost, block private IPs
- Add _sanitize() to discord_formatter: strip ANSI/control chars,
  neutralize @everyone/@here Discord mentions

.gitignore

@@ -1,2 +1,4 @@
 node_modules/
 rails
+*.pyc
+**/__pycache__/