Go-live hardening: server_tokens, resource limits, pinned images, CVE fixes

- Add server_tokens off to nginx (suppress version leakage)
- Add deploy.resources.limits to all containers (db: 512M, api: 256M, nginx: 64M)
- Pin image tags: mysql:8.0 → 8.0.45, nginx:alpine → 1.29.6-alpine
- Fix CVEs: cryptography 43.0.3 → 46.0.5 (HIGH), python-jose 3.3.0 → 3.4.0 (CRITICAL)
- Add .limit(500) to GET /api/flock and GET /api/admin/users

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nginx/nginx.conf

@@ -9,6 +9,8 @@ http {
     sendfile on;
 
     # ── Gzip compression ──────────────────────────────────────────────────────
+    server_tokens off;
+
     gzip            on;
     gzip_types      text/plain text/css application/javascript application/json;
     gzip_min_length 1000;