cpatpa closes the security findings before anyone ships on them

Two frontend modules referenced privileged secrets but had zero
importers anywhere in frontend/src/:

- frontend/src/lib/supabase-server.ts read SUPABASE_SECRET_KEY (the
  Supabase service-role key, full god mode on the database).
- frontend/src/lib/storage.ts read R2_SECRET_ACCESS_KEY and instantiated
  an S3 client at module-evaluation time.

Their continued presence meant any future import from a client
component would silently leak these secrets to every browser session.
Both files deleted. SUPABASE_SECRET_KEY removed from
frontend/.env.local.example. README updated to make explicit that the
service-role key belongs in backend/.env only.

Closes security finding C3.

CORS (H2): the backend now refuses to boot in production without
FRONTEND_URL set, and accepts a comma-separated allowlist of origins.
No localhost fallback in production.

JSON body limit (H3): global limit reduced from 50 MB to 1 MB. Chat
endpoints get a 10 MB override via a per-route parser. Both limits are
env-configurable.

LibreOffice conversion timeout (H4): docxToPdf now races the soffice
call against a hard timeout (default 60 s) so a malformed DOCX cannot
hang the request indefinitely. Throws DocxConversionTimeoutError on
expiry; existing call sites already log-and-continue on conversion
failure.

DOCX zip and XML guards (H5): new safeZip.ts wraps JSZip.loadAsync
behind loadZipSafely (rejects archives whose declared uncompressed
footprint exceeds DOCX_MAX_UNCOMPRESSED_BYTES, default 200 MB) and
adds assertSafeXml (rejects payloads above DOCX_MAX_XML_BYTES, default
50 MB, or containing DOCTYPE or ENTITY declarations). All four
JSZip.loadAsync sites in docxTrackedChanges.ts migrated. Predefined
XML entities continue to be processed correctly.

Email shape validation (H7): the JWT-supplied email is now validated
against a conservative shape before being interpolated into the
PostgREST `cs` filter on shared_with.

Multer upgrade (M5): bumped from 1.4.5-lts to 2.x. The 1.x line has
known DoS CVEs. API surface unchanged for our usage.

Helmet CSP (M6): replaced contentSecurityPolicy:false with a strict
default-src:'none'; frame-ancestors:'none' CSP on all API responses.

Supporting infrastructure: new logger.ts exposes devLog/devWarn that
no-op in production, and httpErrors.ts provides sendServerError and
friends so routes can be migrated off raw error message exposure.

Updated docs/security/01-threat-model.md and CHANGELOG.md with
remediation details.

M3: routes no longer return raw Postgres error messages to clients.
The 24 sites of the
  if (error) return void res.status(500).json({ detail: error.message });
pattern across chat, projects, documents, tabular, workflows, user, and
tabular review-creation now use the sendServerError helper. The full
error is logged server-side with context; the client receives a
generic message.

M4: console.log calls in routes/documents.ts and lib/chatTools.ts
migrated to devLog. devLog is a no-op when NODE_ENV=production, so
document content excerpts, storage paths, and edit-resolution payloads
no longer leak to stdout in production. console.error retained where
appropriate.

Also removed backend/bun.lock and frontend/bun.lock. PIP standardises
on npm.