Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks

Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path

Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'

Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue

Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build

All 6 projects compile clean (tsc --noEmit).

products/.env.example

@@ -1,37 +1,28 @@
-# dd0c Environment Variables
-# Copy to .env and fill in your values
+# dd0c Environment Configuration
+# Copy to .env and fill in real values before deploying.
+# NEVER commit .env to git.
 
-# --- Shared ---
-DATABASE_URL=postgresql://dd0c:dd0c-dev@localhost:5432/dd0c_alert
-REDIS_URL=redis://localhost:6379
-JWT_SECRET=change-me-to-a-real-secret-at-least-32-chars
-CORS_ORIGIN=*
+# --- Postgres ---
+POSTGRES_USER=dd0c
+POSTGRES_PASSWORD=change-me-in-production
+
+# --- Per-service DB credentials (created by docker-init-db.sh) ---
+DB_DRIFT_PASSWORD=change-me-drift
+DB_ALERT_PASSWORD=change-me-alert
+DB_PORTAL_PASSWORD=change-me-portal
+DB_COST_PASSWORD=change-me-cost
+DB_RUN_PASSWORD=change-me-run
+
+# --- Auth ---
+JWT_SECRET=change-me-generate-with-openssl-rand-base64-32
+
+# --- Registry ---
+REGISTRY=reg.dd0c.net
+REGISTRY_PASSWORD=change-me-registry
+
+# --- CORS (comma-separated origins) ---
+CORS_ORIGIN=http://localhost:5173
+
+# --- Optional ---
 LOG_LEVEL=info
-PORT=3000
-
-# --- P1: route ---
-# OPENAI_API_KEY=sk-...
-# ANTHROPIC_API_KEY=sk-ant-...
-
-# --- P3: alert ---
-# DATADOG_WEBHOOK_SECRET=...
-# PAGERDUTY_WEBHOOK_SECRET=...
-# OPSGENIE_WEBHOOK_SECRET=...
-
-# --- P4: portal ---
-# MEILI_URL=http://localhost:7700
-# MEILI_KEY=...
-# GITHUB_TOKEN=ghp_...
-
-# --- P5: cost ---
-# AWS_ACCESS_KEY_ID=...
-# AWS_SECRET_ACCESS_KEY=...
-# ANOMALY_THRESHOLD=50
-
-# --- P6: run ---
-# SLACK_BOT_TOKEN=xoxb-...
-# SLACK_SIGNING_SECRET=...
-
-# --- Notifications (shared) ---
-# SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
-# RESEND_API_KEY=re_...
+ANOMALY_THRESHOLD=50