security: P1/P2 hardening — rate limiting, CORS, Redis auth, network isolation

- Add Redis-based sliding window rate limiting on login, register, forgot-password, reset-password
- Fix user enumeration: register returns generic 200 for both new and existing emails
- Add Redis authentication (requirepass) and password in .env
- Docker network isolation: postgres/redis on internal-only network
- Whitelist Stripe redirect origins (prevent open redirect)
- Add 10MB request size limit on trace ingestion
- Limit API keys to 10 per user
- Add CORS headers via middleware (whitelist agentlens.vectry.tech + localhost)
- Reduce JWT max age from 30 days to 7 days

apps/web/package.json

@@ -16,6 +16,7 @@
     "@dagrejs/dagre": "^2.0.4",
     "@xyflow/react": "^12.10.0",
     "bcryptjs": "^3.0.3",
+    "ioredis": "^5.9.2",
     "lucide-react": "^0.469.0",
     "next": "^15.1.0",
     "next-auth": "^5.0.0-beta.30",