FRE-4499: Fix security review findings (S01-S06)

- S01 (High): Pre-compile regex patterns in RuleEngine.loadActiveRules() and
  cache them; eliminate per-evaluation RegExp construction in rule-engine.ts
  and spamshield.service.ts (ReDoS mitigation)
- S02 (High): SMS classifier now accepts optional senderPhoneNumber via
  SmsClassificationContext; reputation check uses actual sender instead of
  hardcoded 'placeholder'
- S03 (Medium): AlertServer (services/spamshield) now enforces JWT auth,
  origin allowlist, and max client limit on WebSocket connections
- S04 (Medium): hashPhoneNumber() uses SHA-256 (crypto.createHash) instead
  of reversible hex encoding (Buffer.toString('hex'))
- S05 (Medium): DecisionEngine.evaluate() wraps evaluation in Promise.race
  with configurable evaluationTimeout; returns fallback decision on timeout
- S06 (Medium): CarrierFactory.getAllCarriers() is now async and properly
  awaits isHealthy() promises instead of returning raw Promise objects

Co-Authored-By: Paperclip <noreply@paperclip.ing>

services/spamshield/src/carriers/carrier-factory.ts

@@ -90,13 +90,14 @@ export class CarrierFactory {
     }
   }
 
-  getAllCarriers(): Array<{ type: CarrierType; healthy: boolean }> {
+  async getAllCarriers(): Promise<Array<{ type: CarrierType; healthy: boolean }>> {
     const results: Array<{ type: CarrierType; healthy: boolean }> = [];
-    
+
     for (const [type, carrier] of this.carriers.entries()) {
+      const healthy = await carrier.isHealthy();
       results.push({
         type,
-        healthy: carrier.isHealthy(),
+        healthy,
       });
     }