Pin versions, add resource limits, and harden config

- Pin all Docker image tags (mysql 8.0.40, python 3.12.13-slim, node 20.20.1-alpine, nginx 1.29.6-alpine)
- Pin all frontend npm dependencies to exact versions (remove ^ ranges)
- Add mem_limit and cpus resource limits to all three containers
- Add non-root appuser to backend Dockerfile
- Migrate JWT from python-jose to PyJWT
- Remove default admin_password in config.py — must be explicitly set in .env
- Add DOCS_ENABLED flag to config and .env.example (default false)
- Add indexes on session_date, is_active, event_type in session models
- Add limit/offset pagination to all log endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/auth/jwt.py

@@ -1,7 +1,8 @@
 from datetime import datetime, timedelta, timezone
 from typing import Any
 
-from jose import JWTError, jwt
+import jwt
+from jwt import PyJWTError
 from passlib.context import CryptContext
 
 from app.config import get_settings
@@ -43,5 +44,5 @@ def create_refresh_token(data: dict[str, Any]) -> str:
 def decode_token(token: str) -> dict[str, Any]:
     try:
         return jwt.decode(token, settings.secret_key, algorithms=[settings.algorithm])
-    except JWTError:
+    except PyJWTError:
         raise ValueError("Invalid or expired token")