refactor(kyc): apply lead feedback on liveness/review and remove SQL migration

This MR applies the latest review feedback on the KYC backend implementation, with a focus on liveness and review workflow robustness, API consistency, and test coverage.

What was improved

• Liveness webhook idempotence

  • Reworked duplicate callback detection with null-safe checks (Objects.equals) to avoid fragile comparisons.

• Liveness guards

  • Added stricter business guards before starting liveness (status/step validation).

• Review decision validation

  • Enforced mandatory comment when decision is REJECT.
  • Aligned review decision flow to accept only SUBMITTED status (removed implicit IN_REVIEW path).

• API contract cleanup

  • Moved reviewerId into request body for review decision endpoint.
  • Returned review data through a response DTO instead of exposing JPA entity directly.

• Transactional/read consistency

  • Added read-only transaction for review retrieval method.

• Webhook security hardening

  • Added dedicated liveness webhook security filter with configurable HMAC/IP checks.

• Tests

  • Added/updated unit and web-slice tests for:
    • provider mismatch
    • idempotence behavior
    • externalId fallback
    • reject-without-comment validation
    • duplicate submit-for-review guard
    • investor endpoints for liveness/start and submit-review

Notes

• For this local-first iteration, uniqueness handling is currently aligned with JPA constraints and service guards.
• Changelog has been updated accordingly.

Validation

• Local verification performed with Maven test/build and targeted Postman scenarios for liveness and review flows.