Pin versions, add resource limits, and harden config

- Pin all Docker image tags (mysql 8.0.40, python 3.12.13-slim, node 20.20.1-alpine, nginx 1.29.6-alpine)
- Pin all frontend npm dependencies to exact versions (remove ^ ranges)
- Add mem_limit and cpus resource limits to all three containers
- Add non-root appuser to backend Dockerfile
- Migrate JWT from python-jose to PyJWT
- Remove default admin_password in config.py — must be explicitly set in .env
- Add DOCS_ENABLED flag to config and .env.example (default false)
- Add indexes on session_date, is_active, event_type in session models
- Add limit/offset pagination to all log endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/models/session.py

@@ -21,8 +21,8 @@ class DailySession(TimestampMixin, Base):
     template_id: Mapped[int | None] = mapped_column(
         ForeignKey("schedule_templates.id", ondelete="SET NULL"), nullable=True
     )
-    session_date: Mapped[date] = mapped_column(Date, nullable=False)
-    is_active: Mapped[bool] = mapped_column(default=True)
+    session_date: Mapped[date] = mapped_column(Date, nullable=False, index=True)
+    is_active: Mapped[bool] = mapped_column(default=True, index=True)
     current_block_id: Mapped[int | None] = mapped_column(
         ForeignKey("schedule_blocks.id", ondelete="SET NULL"), nullable=True
     )
@@ -48,7 +48,7 @@ class TimerEvent(Base):
     block_id: Mapped[int | None] = mapped_column(
         ForeignKey("schedule_blocks.id", ondelete="SET NULL"), nullable=True
     )
-    event_type: Mapped[str] = mapped_column(String(20), nullable=False)
+    event_type: Mapped[str] = mapped_column(String(20), nullable=False, index=True)
     occurred_at: Mapped[datetime] = mapped_column(DateTime, default=func.now(), server_default=func.now())
 
     session: Mapped["DailySession"] = relationship("DailySession", back_populates="timer_events")