security: fix 4 OWASP quick-wins from audit round 2

A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
  via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
  non-test deployments. runtime-env.ts throws at startup if
  E2E_TEST_MODE=true in production.

A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
  is unset. Extracted shared verifyCronSecret() helper to
  apps/web/src/lib/cron-auth.ts.

A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
  constant-time Bearer token comparison.

A10-1 (Medium): Slack webhook routing uses strict hostname check
  (parsedUrl.hostname === "hooks.slack.com") instead of .includes()
  to prevent bypass via subdomain confusion.

Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).

Co-Authored-By: claude-flow <ruv@ruv.net>

docker-compose.yml

@@ -59,9 +59,14 @@ services:
       REDIS_URL: redis://redis:6379
       NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3100}
       NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:?set NEXTAUTH_SECRET}
-      # Bypass auth + API rate limiters so E2E test runs don't exhaust
-      # per-user quotas and don't pollute active_sessions for real users.
-      E2E_TEST_MODE: "true"
+      # Bypass auth + API rate limiters for E2E test runs only.
+      # MUST remain "false" in any production or staging deployment.
+      # Set E2E_TEST_MODE=true in the host environment before running E2E tests.
+      E2E_TEST_MODE: "${E2E_TEST_MODE:-false}"
+      # AI provider secrets — forwarded from host .env, not hardcoded
+      AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
+      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
+      GEMINI_API_KEY: ${GEMINI_API_KEY:-}
     depends_on:
       postgres:
         condition: service_healthy