fix(ops): security headers (CSP / XFO / HSTS / etc) + website_submissions retention

Two audit-pass-#3 prod-readiness gaps.

Security headers
  next.config.ts now emits CSP, X-Frame-Options=DENY,
  X-Content-Type-Options=nosniff, Referrer-Policy, Permissions-Policy
  on every response, plus HSTS in production. CSP allows the small
  set of inline-style/inline-script + unsafe-eval (dev-only) needed
  by Tailwind, Radix, and Next dev HMR; img-src/connect-src kept
  reasonably wide for s3.portnimara.com branding + Socket.IO. Verified
  via curl -I that headers ship and that the dashboard route still
  serves correctly.

website_submissions retention
  Adds 'website-submissions-retention' case to the maintenance worker
  with a 180-day window and schedules it at 07:00 daily. Raw inquiry
  payloads include reCAPTCHA + IP + UA metadata; keeping them
  indefinitely was a privacy + storage gap that audit-pass-#3 flagged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

next.config.ts

@@ -1,5 +1,49 @@
 import type { NextConfig } from 'next';
 
+const isProd = process.env.NODE_ENV === 'production';
+
+/**
+ * Security headers applied to every response. Per audit-pass-#3 finding:
+ * the previous config emitted no CSP, X-Frame-Options, HSTS, or
+ * X-Content-Type-Options — the app was open to clickjacking + MIME
+ * sniffing.
+ *
+ * CSP notes:
+ *   - 'unsafe-inline' on style-src is required by Tailwind's runtime
+ *     style injection and Radix; revisit when Tailwind v4 ships a
+ *     nonce story.
+ *   - 'unsafe-eval' on script-src is dev-only — Next dev uses eval for
+ *     HMR. Production drops it.
+ *   - connect-src allows ws/wss for Socket.IO and https: for outgoing
+ *     fetches; tighten in prod via per-port branding URLs once we move
+ *     the s3 image references into a known allowlist.
+ *   - img-src https: is wide because port branding pulls from
+ *     s3.portnimara.com plus per-port image URLs configured at runtime.
+ */
+const csp = [
+  "default-src 'self'",
+  `script-src 'self' 'unsafe-inline'${isProd ? '' : " 'unsafe-eval'"}`,
+  "style-src 'self' 'unsafe-inline'",
+  "img-src 'self' data: blob: https:",
+  "font-src 'self' data:",
+  "connect-src 'self' ws: wss: https:",
+  "frame-ancestors 'none'",
+  "base-uri 'self'",
+  "form-action 'self'",
+  "object-src 'none'",
+].join('; ');
+
+const securityHeaders = [
+  { key: 'Content-Security-Policy', value: csp },
+  { key: 'X-Frame-Options', value: 'DENY' },
+  { key: 'X-Content-Type-Options', value: 'nosniff' },
+  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+  { key: 'Permissions-Policy', value: 'camera=(self), microphone=(), geolocation=()' },
+  ...(isProd
+    ? [{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' }]
+    : []),
+];
+
 const nextConfig: NextConfig = {
   output: 'standalone',
   serverExternalPackages: [
@@ -24,6 +68,14 @@ const nextConfig: NextConfig = {
     // process.cwd() requires the file to be traced explicitly.
     '/api/v1/document-templates/**': ['./assets/eoi-template.pdf'],
   },
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: securityHeaders,
+      },
+    ];
+  },
 };
 
 export default nextConfig;