fix: script portability and npm security updates

Scripts:
- stop.sh: replace Linux-only fuser with cross-platform lsof fallback
- start.sh: parameterize port (APP_PORT) and container name (dynamic lookup)
- app-dev-start.sh: cross-platform stat (GNU -c / BSD -f) and setpriv/su fallback
- deploy-compose.sh: parameterize Docker registry via DOCKER_REGISTRY env var
- harden-postgres.sh: make DB_USER and DB_NAME configurable via env vars

NPM security:
- next: 15.5.12 → 15.5.15 (fixes HTTP request smuggling CVE)
- nodemailer: 8.0.1 → 8.0.5 (fixes SMTP command injection CVEs)
- lodash-es: add pnpm override to force >=4.18.0 (fixes code injection + prototype pollution)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/harden-postgres.sh

@@ -2,8 +2,8 @@
 # Remove SUPERUSER from the application database user
 # Run after initial setup: bash scripts/harden-postgres.sh
 
-DB_USER="capakraken"
-DB_NAME="capakraken"
+DB_USER="${DB_USER:-capakraken}"
+DB_NAME="${DB_NAME:-capakraken}"
 
 echo "Hardening PostgreSQL for $DB_USER..."
 

scripts/start.sh

@@ -2,6 +2,9 @@
 set -euo pipefail
 cd "$(dirname "$0")/.."
 
+APP_PORT="${APP_PORT:-3100}"
+APP_CONTAINER="${APP_CONTAINER:-$(docker compose --profile full ps -q app 2>/dev/null | head -1)}"
+
 echo "Starting CapaKraken..."
 
 # 1. Start Docker services
@@ -19,20 +22,23 @@ for i in {1..30}; do
 done
 
 # 3. Start the web app in Docker for a stable lifecycle
-echo "  Starting app container on port 3100..."
+echo "  Starting app container on port ${APP_PORT}..."
 docker compose --profile full up -d app
 
+# Resolve container name after start (docker compose generates it from project dir + service)
+APP_CONTAINER="$(docker compose --profile full ps -q app 2>/dev/null | head -1)"
+
 # 4. Wait for server to be ready
 # Allow up to 90s: prisma generate + migrate deploy + next dev compilation
 echo "  Waiting for server (up to 90s)..."
 for i in {1..90}; do
-  if curl -sf http://localhost:3100/api/health > /dev/null 2>&1; then
+  if curl -sf "http://localhost:${APP_PORT}/api/health" > /dev/null 2>&1; then
     echo ""
     echo "CapaKraken is running!"
-    curl -s http://localhost:3100/api/ready | python3 -m json.tool 2>/dev/null || curl -s http://localhost:3100/api/ready
+    curl -s "http://localhost:${APP_PORT}/api/ready" | python3 -m json.tool 2>/dev/null || curl -s "http://localhost:${APP_PORT}/api/ready"
     echo ""
-    echo "  URL: http://localhost:3100"
-    echo "  Logs: docker logs -f capakraken-app-1"
+    echo "  URL: http://localhost:${APP_PORT}"
+    echo "  Logs: docker logs -f ${APP_CONTAINER}"
     exit 0
   fi
   # Print progress every 10s
@@ -43,5 +49,5 @@ for i in {1..90}; do
 done
 
 echo "ERROR: Server failed to start within 90 seconds"
-echo "Check logs: docker logs --tail 100 capakraken-app-1"
+echo "Check logs: docker logs --tail 100 ${APP_CONTAINER}"
 exit 1

scripts/stop.sh

@@ -16,8 +16,12 @@ if [ -f /tmp/capakraken-dev.pid ]; then
   rm -f /tmp/capakraken-dev.pid
 fi
 
-# Also kill anything on port 3100
-fuser -k 3100/tcp 2>/dev/null || true
+# Also kill anything on port 3100 (cross-platform: lsof works on Linux + macOS)
+if command -v lsof >/dev/null 2>&1; then
+  lsof -ti:3100 2>/dev/null | xargs kill 2>/dev/null || true
+elif command -v fuser >/dev/null 2>&1; then
+  fuser -k 3100/tcp 2>/dev/null || true
+fi
 
 # 2. Stop Docker services (keep data volumes)
 echo "  Stopping app, PostgreSQL and Redis..."