Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks

Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path

Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'

Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue

Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build

All 6 projects compile clean (tsc --noEmit).

products/docker-init-db.sh

@@ -7,7 +7,26 @@ for db in dd0c_route dd0c_drift dd0c_alert dd0c_portal dd0c_cost dd0c_run; do
   psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname postgres -c "CREATE DATABASE $db;" 2>/dev/null || true
 done
 
-# Run migrations for each product
+# Create per-service DB users with least-privilege access
+create_service_user() {
+  local db=$1
+  local user=$2
+  local pass_var=$3
+  local pass="${!pass_var:-dd0c-dev}"
+  echo "Creating user $user for $db"
+  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname postgres -c "CREATE USER $user WITH PASSWORD '$pass';" 2>/dev/null || true
+  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "GRANT ALL PRIVILEGES ON DATABASE $db TO $user;" 2>/dev/null || true
+  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "GRANT ALL ON SCHEMA public TO $user;" 2>/dev/null || true
+  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $user;" 2>/dev/null || true
+}
+
+create_service_user dd0c_drift dd0c_drift DB_DRIFT_PASSWORD
+create_service_user dd0c_alert dd0c_alert DB_ALERT_PASSWORD
+create_service_user dd0c_portal dd0c_portal DB_PORTAL_PASSWORD
+create_service_user dd0c_cost dd0c_cost DB_COST_PASSWORD
+create_service_user dd0c_run dd0c_run DB_RUN_PASSWORD
+
+# Run migrations for each product (as superuser so tables are created correctly)
 run_migrations() {
   local db=$1
   local dir=$2