feat: add GitHub OAuth, exploit rewards, landmines, and validation fix

- GitHub OAuth (next-auth v5) replaces free-text username input
- PAT auth path for API-based agents (Authorization: Bearer <token>)
- 5 discoverable exploit bonuses (capped, +650 max) with agent messages
- 2 prompt injection landmines (-200/-300 ELO penalties)
- Fix client/server validation mismatch (Web Worker -> /api/validate)
- /api/validate returns actual vs expected on failure (sandbox probing)
- Attempt tracking per user, visible on leaderboard
- Leaderboard sorts by ELO desc, then attempts asc
- Score breakdown on results screen (exploits found, safety status)

Co-authored-by: Cursor <cursoragent@cursor.com>