security: address assessment findings and bump to v2026.3.11

- C1: Disable Swagger UI in production (env gate)
- M1+M2: Add Helmet.js for security headers (CSP, X-Frame-Options,
  X-Content-Type-Options, Referrer-Policy) and remove X-Powered-By
- H2: Add @nestjs/throttler rate limiting (5 req/min on login/register)
- M4: Remove orgSchema from JWT payload and client-side storage;
  tenant middleware now resolves schema from orgId via cached DB lookup
- L1: Fix Chatwoot user identification (read from auth store on ready)
- Remove schemaName from frontend Organization type and UI displays

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/index.html

@@ -23,24 +23,20 @@
           })
         }
       })(document,"script");
+      window.addEventListener('chatwoot:ready', function() {
+        try {
+          var raw = localStorage.getItem('ledgeriq-auth');
+          if (!raw) return;
+          var auth = JSON.parse(raw);
+          var user = auth && auth.state && auth.state.user;
+          if (user && window.$chatwoot) {
+            window.$chatwoot.setUser(user.id, {
+              name: (user.firstName || '') + ' ' + (user.lastName || ''),
+              email: user.email
+            });
+          }
+        } catch (e) {}
+      });
     </script>
-    <script>
-    window.addEventListener('chatwoot:ready', function () {
-      // 1. Identify the user (use your real variables/server-side values)
-      window.$chatwoot.setUser("{{ current_user.id }}", {  // or just a string like "user-123"
-        identifier: "{{ current_user.id }}",
-        name: "{{ current_user.name }}",
-        email: "{{ current_user.email }}",
-        // identifier_hash: "your-hmac-hash-if-using-verification",
-      });
-
-      // 2. Send current URL + extras
-      window.$chatwoot.setCustomAttributes({
-        current_page_url: window.location.href,
-        // e.g. user_plan: "premium",
-        // last_action: "viewed_pricing"
-      });
-    });
-  </script>
   </body>
 </html>