security: v1.7.7 hardening release

- Add WEBHOOK_CLIENT_SECRET validation for Graph webhooks
- Add Redis-backed rate limiting (fetch/ask/write/default tiers)
- Validate LLM_BASE_URL to prevent SSRF (HTTPS only, block private IPs)
- Enforce non-wildcard CORS when AUTH_ENABLED=true
- Add Content-Security-Policy headers
- Fix audit middleware to use verified JWT claims via contextvars
- Cap bulk_tags updates to 10,000 documents
- Return generic error messages to clients (no internal detail leakage)
- Strict AlertCondition Pydantic model for alert rules
- Security warning on MCP stdio server startup
- Remove MongoDB/Redis host ports from docker-compose
- Remove mongo_query from /ask API response

backend/config.py

@@ -68,6 +68,14 @@ class Settings(BaseSettings):
     ALERT_WEBHOOK_FORMAT: str = "generic"  # generic | slack | teams
     ALERT_DEDUPE_MINUTES: int = 15
 
+    # Webhook security
+    WEBHOOK_CLIENT_SECRET: str = ""
+
+    # Rate limiting
+    RATE_LIMIT_ENABLED: bool = True
+    RATE_LIMIT_REQUESTS: int = 120
+    RATE_LIMIT_WINDOW_SECONDS: int = 60
+
 
 _settings = Settings()
 
@@ -113,3 +121,9 @@ DEFAULT_PAGE_SIZE = _settings.DEFAULT_PAGE_SIZE
 ALERT_WEBHOOK_URL = _settings.ALERT_WEBHOOK_URL
 ALERT_WEBHOOK_FORMAT = _settings.ALERT_WEBHOOK_FORMAT
 ALERT_DEDUPE_MINUTES = _settings.ALERT_DEDUPE_MINUTES
+
+WEBHOOK_CLIENT_SECRET = _settings.WEBHOOK_CLIENT_SECRET
+
+RATE_LIMIT_ENABLED = _settings.RATE_LIMIT_ENABLED
+RATE_LIMIT_REQUESTS = _settings.RATE_LIMIT_REQUESTS
+RATE_LIMIT_WINDOW_SECONDS = _settings.RATE_LIMIT_WINDOW_SECONDS