chore(hardening): maintenance jobs, defense-in-depth, redis-backed public rate limit

- maintenance worker now expires GDPR export bundles (db row + MinIO object)
  on the gdpr_exports.expires_at boundary, plus 90-day retention sweep on
  ai_usage_ledger; both jobs scheduled daily.
- portId scoping added to listClientRelationships and listClientExports
  (defense-in-depth — parent-resource gates already prevent cross-tenant
  reads, but service layer should enforce on its own).
- SELECT FOR UPDATE on parent client/company row inside add/update address
  transactions to serialize concurrent isPrimary toggles.
- public /interests + /residential-inquiries endpoints swap their
  in-memory ipHits maps for the redis sliding-window limiter via the
  new rateLimiters.publicForm config (5/hr/IP), so the cap survives
  restarts and is shared across worker processes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/companies.service.ts

@@ -416,6 +416,13 @@ export async function addCompanyAddress(
   if (!company || company.portId !== portId) throw new NotFoundError('Company');
 
   const address = await withTransaction(async (tx) => {
+    // Lock the company row to serialize concurrent primary-toggle requests.
+    await tx
+      .select({ id: companies.id })
+      .from(companies)
+      .where(eq(companies.id, companyId))
+      .for('update');
+
     const wantsPrimary = data.isPrimary ?? false;
     if (wantsPrimary) {
       await tx
@@ -474,6 +481,13 @@ export async function updateCompanyAddress(
   if (!existing) throw new NotFoundError('Address');
 
   const updated = await withTransaction(async (tx) => {
+    // Lock the company row to serialize primary-toggle changes.
+    await tx
+      .select({ id: companies.id })
+      .from(companies)
+      .where(eq(companies.id, companyId))
+      .for('update');
+
     if (data.isPrimary === true && !existing.isPrimary) {
       await tx
         .update(companyAddresses)