fix: harden web runtime and follow-up auth/db security fixes (#21)

## Summary
- harden the web runtime with JSON body limits, stricter generation input validation, rate limiting, and trusted Origin/Referer checks for cookie-authenticated mutations
- redact password-reset tokens from debug email transport logs and fail closed for unsupported email providers
- scope generation idempotency keys per user with a Prisma migration and regression coverage

## Testing
- docker build -f infra/docker/web.Dockerfile -t nroxy-web-check .
- docker run --rm --entrypoint sh nroxy-web-check -lc "pnpm --filter @nproxy/providers test && pnpm --filter @nproxy/db test && pnpm --filter @nproxy/web test"

Closes #14
Closes #7
Closes #8

Co-authored-by: sirily <sirily@git.shararam.party>
Reviewed-on: #21

packages/providers/src/email.ts

@@ -20,29 +20,20 @@ export function createEmailTransport(config: {
           JSON.stringify({
             service: "email",
             provider: config.provider,
+            mode: "debug_redacted",
             from: config.from,
             to: input.to,
             subject: input.subject,
-            text: input.text,
+            textPreview: redactEmailText(input.text),
           }),
         );
       },
     };
   }
 
-  return {
-    async send(input) {
-      console.log(
-        JSON.stringify({
-          service: "email",
-          provider: config.provider,
-          mode: "noop_fallback",
-          from: config.from,
-          to: input.to,
-          subject: input.subject,
-          text: input.text,
-        }),
-      );
-    },
-  };
+  throw new Error(`Unsupported email provider: ${config.provider}`);
+}
+
+function redactEmailText(text: string): string {
+  return text.replace(/([?&]token=)[^&\s]+/gi, "$1[REDACTED]");
 }