Harden external input handling for webhooks, drops, and OAuth registration

External payloads received through domain webhooks and drop ingestion are now normalized using explicit key whitelists instead of converting arbitrary string keys to atoms. This removes a denial-of-service vector where unbounded atom creation could crash the Erlang VM, and ensures unknown fields are ignored safely. OAuth registration metadata is also normalized more defensively, and stale OAuth registration rate-limit buckets are pruned automatically so the in-memory store cannot grow without bound.