Harden OIDC, add SVG sanitization, improve form UX and security defaults

Remove PKCE plain method support (S256 only), enforce openid scope requirement,
filter to supported scopes, strip reserved claims from custom claims as
defense-in-depth, sanitize SVG icons with Loofah, add global input padding,
switch session cookies to SameSite=Lax, use Session.active scope, and remove
unsafe-eval from CSP.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/models/application.rb

@@ -26,7 +26,7 @@ class Application < ApplicationRecord
 
   has_one_attached :icon
 
-  # Fix SVG content type after attachment
+  before_validation :sanitize_svg_icon, if: -> { attachment_changes["icon"].present? }
   after_save :fix_icon_content_type, if: -> { icon.attached? && saved_change_to_attribute?(:id) == false }
 
   has_many :application_groups, dependent: :destroy
@@ -283,6 +283,21 @@ class Application < ApplicationRecord
     end
   end
 
+  def sanitize_svg_icon
+    return unless icon.content_type == "image/svg+xml"
+
+    raw_svg = icon.download
+    doc = Loofah.xml_document(raw_svg)
+    doc.scrub!(SvgScrubber.new)
+    clean_svg = doc.to_xml
+
+    icon.attach(
+      io: StringIO.new(clean_svg),
+      filename: icon.filename.to_s,
+      content_type: "image/svg+xml"
+    )
+  end
+
   def icon_validation
     return unless icon.attached?