Go-live hardening: server_tokens, resource limits, pinned images, CVE fixes

- Add server_tokens off to nginx (suppress version leakage)
- Add deploy.resources.limits to all containers (db: 512M, api: 256M, nginx: 64M)
- Pin image tags: mysql:8.0 → 8.0.45, nginx:alpine → 1.29.6-alpine
- Fix CVEs: cryptography 43.0.3 → 46.0.5 (HIGH), python-jose 3.3.0 → 3.4.0 (CRITICAL)
- Add .limit(500) to GET /api/flock and GET /api/admin/users

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/routers/flock.py

@@ -22,6 +22,7 @@ def list_flock_history(
         select(FlockHistory)
         .where(FlockHistory.user_id == current_user.id)
         .order_by(FlockHistory.date.desc())
+        .limit(500)
     )
     return db.scalars(q).all()