security: P1/P2 hardening — rate limiting, CORS, Redis auth, network isolation

- Add Redis-based sliding window rate limiting on login, register, forgot-password, reset-password
- Fix user enumeration: register returns generic 200 for both new and existing emails
- Add Redis authentication (requirepass) and password in .env
- Docker network isolation: postgres/redis on internal-only network
- Whitelist Stripe redirect origins (prevent open redirect)
- Add 10MB request size limit on trace ingestion
- Limit API keys to 10 per user
- Add CORS headers via middleware (whitelist agentlens.vectry.tech + localhost)
- Reduce JWT max age from 30 days to 7 days

apps/web/src/app/api/stripe/portal/route.ts

@@ -22,8 +22,14 @@ export async function POST(request: Request) {
       );
     }
 
-    const origin =
-      request.headers.get("origin") ?? "https://agentlens.vectry.tech";
+    const ALLOWED_ORIGINS = [
+      "https://agentlens.vectry.tech",
+      "http://localhost:3000",
+    ];
+    const requestOrigin = request.headers.get("origin");
+    const origin = ALLOWED_ORIGINS.includes(requestOrigin ?? "")
+      ? requestOrigin!
+      : "https://agentlens.vectry.tech";
 
     const portalSession = await getStripe().billingPortal.sessions.create({
       customer: subscription.stripeCustomerId,