security: address assessment findings and bump to v2026.3.11

- C1: Disable Swagger UI in production (env gate)
- M1+M2: Add Helmet.js for security headers (CSP, X-Frame-Options,
  X-Content-Type-Options, Referrer-Policy) and remove X-Powered-By
- H2: Add @nestjs/throttler rate limiting (5 req/min on login/register)
- M4: Remove orgSchema from JWT payload and client-side storage;
  tenant middleware now resolves schema from orgId via cached DB lookup
- L1: Fix Chatwoot user identification (read from auth store on ready)
- Remove schemaName from frontend Organization type and UI displays

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/src/pages/settings/SettingsPage.tsx

@@ -38,10 +38,6 @@ export function SettingsPage() {
               <Text size="sm" c="dimmed">Your Role</Text>
               <Badge variant="light">{currentOrg?.role || 'N/A'}</Badge>
             </Group>
-            <Group justify="space-between">
-              <Text size="sm" c="dimmed">Schema</Text>
-              <Text size="sm" ff="monospace" c="dimmed">{currentOrg?.schemaName || 'N/A'}</Text>
-            </Group>
           </Stack>
         </Card>