security: close audit findings #19–#23 and harden Docker setup (#24)

#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/src/app/api/perf/route.ts

@@ -13,14 +13,13 @@ export const runtime = "nodejs";
 export function GET(request: Request) {
   const cronSecret = process.env["CRON_SECRET"];
 
-  if (cronSecret) {
-    const url = new URL(request.url);
-    const headerToken = request.headers.get("authorization")?.replace("Bearer ", "");
-    const queryToken = url.searchParams.get("token");
+  if (!cronSecret) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
 
-    if (headerToken !== cronSecret && queryToken !== cronSecret) {
-      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-    }
+  const headerToken = request.headers.get("authorization")?.replace("Bearer ", "");
+  if (headerToken !== cronSecret) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
   const mem = process.memoryUsage();