security: close audit findings #19–#23 and harden Docker setup (#24)

#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/src/app/api/perf/route.ts

@@ -13,14 +13,13 @@ export const runtime = "nodejs";
 export function GET(request: Request) {
   const cronSecret = process.env["CRON_SECRET"];
 
-  if (cronSecret) {
-    const url = new URL(request.url);
-    const headerToken = request.headers.get("authorization")?.replace("Bearer ", "");
-    const queryToken = url.searchParams.get("token");
+  if (!cronSecret) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
 
-    if (headerToken !== cronSecret && queryToken !== cronSecret) {
-      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-    }
+  const headerToken = request.headers.get("authorization")?.replace("Bearer ", "");
+  if (headerToken !== cronSecret) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
   const mem = process.memoryUsage();

apps/web/src/app/api/trpc/[trpc]/route.ts

@@ -23,6 +23,21 @@ function trackActivity(userId: string) {
 const handler = async (req: NextRequest) => {
   const session = await auth();
 
+  // Validate active session registry on every authenticated request.
+  // Sessions kicked by concurrent-session limits or manual logout are rejected immediately.
+  if (session?.user) {
+    const jti = (session.user as typeof session.user & { jti?: string }).jti;
+    if (jti) {
+      const activeSession = await prisma.activeSession.findUnique({ where: { jti } });
+      if (!activeSession) {
+        return new Response(JSON.stringify({ error: "Session revoked" }), {
+          status: 401,
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+    }
+  }
+
   const dbUser = session?.user?.email
     ? await prisma.user.findUnique({
         where: { email: session.user.email },