security: close audit findings #19–#23 and harden Docker setup (#24)

#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/package.json

@@ -29,6 +29,7 @@
     "@trpc/client": "^11.0.0",
     "@trpc/react-query": "^11.0.0",
     "@trpc/server": "^11.0.0",
+    "@types/qrcode": "^1.5.6",
     "clsx": "^2.1.1",
     "dompurify": "^3.3.3",
     "exceljs": "^4.4.0",
@@ -36,6 +37,7 @@
     "next": "^15.1.7",
     "next-auth": "^5.0.0-beta.25",
     "otpauth": "^9.5.0",
+    "qrcode": "^1.5.4",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "react-force-graph-3d": "^1.29.1",
@@ -49,13 +51,13 @@
   "devDependencies": {
     "@capakraken/tsconfig": "workspace:*",
     "@playwright/test": "^1.49.1",
-    "@vitest/coverage-v8": "^2.1.9",
     "@types/dompurify": "^3.2.0",
     "@types/node": "^22.10.2",
     "@types/react": "^19.0.6",
     "@types/react-dom": "^19.0.3",
     "@types/react-grid-layout": "^2.1.0",
     "@types/three": "^0.183.1",
+    "@vitest/coverage-v8": "^2.1.9",
     "autoprefixer": "^10.4.20",
     "postcss": "^8.4.49",
     "tailwindcss": "^3.4.17",