security: v1.7.7 hardening release

- Add WEBHOOK_CLIENT_SECRET validation for Graph webhooks
- Add Redis-backed rate limiting (fetch/ask/write/default tiers)
- Validate LLM_BASE_URL to prevent SSRF (HTTPS only, block private IPs)
- Enforce non-wildcard CORS when AUTH_ENABLED=true
- Add Content-Security-Policy headers
- Fix audit middleware to use verified JWT claims via contextvars
- Cap bulk_tags updates to 10,000 documents
- Return generic error messages to clients (no internal detail leakage)
- Strict AlertCondition Pydantic model for alert rules
- Security warning on MCP stdio server startup
- Remove MongoDB/Redis host ports from docker-compose
- Remove mongo_query from /ask API response

docker-compose.yml

@@ -3,8 +3,7 @@ services:
     image: valkey/valkey:8-alpine
     container_name: aoc-redis
     restart: always
-    ports:
-      - "6379:6379"
+    # Ports not exposed to host; backend and worker connect via Docker network
     volumes:
       - redis_data:/data
 
@@ -12,8 +11,7 @@ services:
     image: mongo:7
     container_name: aoc-mongo
     restart: always
-    ports:
-      - "27017:27017"
+    # Ports not exposed to host; backend and worker connect via Docker network
     environment:
       MONGO_INITDB_ROOT_USERNAME: ${MONGO_ROOT_USERNAME}
       MONGO_INITDB_ROOT_PASSWORD: ${MONGO_ROOT_PASSWORD}