security: harden remote-access stack (pentest remediation R1-R4)

App layer (R1): bind frps NewProxy to token-owned subdomain (anti-hijack),
default-deny unknown webhook ops, HMAC-verify stripe-stub billing webhook,
enforce bandwidth quota kill-switch (Ping op), least-privilege table grants
(migrations 0002/0003), GOTRUE_PASSWORD_MIN_LENGTH=12.

Infra/net (R2): unpublish internal host ports (kong/pooler/analytics/frps-dash),
read-only docker-socket-proxy for vector (no host breakout), on-demand-TLS
allow-list authorizer, edge-block machine-only webhooks, no-new-privileges on
custom containers.

Secrets (R3): rotate Postgres password (all roles) + frps dashboard; replace
predictable supavisor defaults; secrets externalized to gitignored .env.

Med/Low (R4): security response headers (HSTS/XCTO/XFO/Referrer/Permissions/COOP),
restrict frp proxy_type to http (no open relay), disable destructive redis
commands, tighten frps.toml perms.

No secrets committed; rotated values live only in gitignored .env files.

redis/docker-compose.yml

@@ -3,6 +3,12 @@ services:
     image: redis:7.2-alpine
     container_name: redis
     restart: unless-stopped
+    # SECURITY (R4/I7): drop privileges and disable destructive admin commands.
+    # The only Redis consumers (auth-webhook, bandwidth-worker) use GET/SET/DEL
+    # exclusively, so disabling FLUSHALL/FLUSHDB/KEYS/DEBUG is safe and limits
+    # blast radius if the edge network is ever abused.
+    security_opt:
+      - no-new-privileges:true
     environment:
       REDIS_PASSWORD: ${REDIS_PASSWORD}
     command:
@@ -13,6 +19,18 @@ services:
       - "yes"
       - --appendfsync
       - everysec
+      - --rename-command
+      - FLUSHALL
+      - ""
+      - --rename-command
+      - FLUSHDB
+      - ""
+      - --rename-command
+      - KEYS
+      - ""
+      - --rename-command
+      - DEBUG
+      - ""
     volumes:
       - ./data:/data
     healthcheck: