Unbounded request body on webhook and CI endpoints

The GitHub webhook and CI check-pr API routes read the full request body before any validation. Anyone able to reach the endpoints could post a multi-GB body and exhaust process memory. Fixed by adding a streaming size cap (1MB and 2MB respectively) that returns 413 before signature or JWT verification.