feat: Audit remediation + Stripe webhook + test suites

- Apply 3 Prisma schema changes (Pending2FASession, hubApiKeyHash, SecurityVerificationCode attempts)
- Add Stripe webhook handler (checkout.session.completed -> User + Subscription + Order)
- Add stripe-service, api-key-service, rate-limit middleware
- Add security headers (CSP, HSTS, X-Frame-Options) in next.config.ts
- Harden auth routes, require ADMIN_API_KEY for orchestrator endpoints
- Add Docker auto-migration via startup.sh
- Add 7 unit test suites (api-key, dns, config-generator, automation-worker, permission, security-verification, auth-helpers)
- Fix Prisma 7 compatibility with adapter-pg mock for vitest

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -1,7 +1,7 @@
 # LetsBe Hub Configuration
 
 # Database
-DATABASE_URL=postgresql+asyncpg://hub:hub@db:5432/hub
+DATABASE_URL=postgresql://hub:hub@db:5432/hub
 
 # Admin API Key (CHANGE IN PRODUCTION!)
 ADMIN_API_KEY=change-me-in-production
@@ -11,3 +11,24 @@ DEBUG=false
 
 # Telemetry retention (days)
 TELEMETRY_RETENTION_DAYS=90
+
+# =============================================================================
+# Email (Resend)
+# =============================================================================
+# API key from https://resend.com
+# RESEND_API_KEY=re_xxxxxxxxxx
+# Sender email address (must be verified in Resend)
+# RESEND_FROM_EMAIL=noreply@yourdomain.com
+
+# =============================================================================
+# Cron / Scheduled Tasks
+# =============================================================================
+# Secret used to authenticate cron job requests
+# Generate with: openssl rand -hex 32
+# CRON_SECRET=
+
+# =============================================================================
+# Public API
+# =============================================================================
+# API key exposed to client-side code (non-sensitive, for rate limiting etc.)
+# PUBLIC_API_KEY=