security(line): synthesize strict LINE auth boundary hardening

LINE auth boundary hardening synthesis for inbound webhook authn/z/authz:
- account-scoped pairing-store access
- strict DM/group allowlist boundary separation
- fail-closed webhook auth/runtime behavior
- replay and duplicate handling with in-flight continuity for concurrent redeliveries

Source PRs: #26701, #26683, #25978, #17593, #16619, #31990, #26047, #30584, #18777
Related continuity context: #21955

Co-authored-by: bmendonca3 <208517100+bmendonca3@users.noreply.github.com>
Co-authored-by: davidahmann <46606159+davidahmann@users.noreply.github.com>
Co-authored-by: harshang03 <58983401+harshang03@users.noreply.github.com>
Co-authored-by: haosenwang1018 <167664334+haosenwang1018@users.noreply.github.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
Co-authored-by: coygeek <65363919+coygeek@users.noreply.github.com>
Co-authored-by: lailoo <20536249+lailoo@users.noreply.github.com>

src/line/bot-message-context.test.ts

@@ -114,6 +114,26 @@ describe("buildLineMessageContext", () => {
     expect(context?.ctxPayload.To).toBe("line:room:room-1");
   });
 
+  it("keeps non-text message contexts fail-closed for command auth", async () => {
+    const event = createMessageEvent(
+      { type: "user", userId: "user-audio" },
+      {
+        message: { id: "audio-1", type: "audio", duration: 1000 } as MessageEvent["message"],
+      },
+    );
+
+    const context = await buildLineMessageContext({
+      event,
+      allMedia: [],
+      cfg,
+      account,
+      commandAuthorized: false,
+    });
+
+    expect(context).not.toBeNull();
+    expect(context?.ctxPayload.CommandAuthorized).toBe(false);
+  });
+
   it("sets CommandAuthorized=true when authorized", async () => {
     const event = createMessageEvent({ type: "user", userId: "user-auth" });