Harden data access, document uploads, and secret handling

[kveton]

Summary

This PR implements a focused security hardening pass across the backend, frontend, migrations, and dependency locks.

What changed

• Locks Supabase app data tables behind backend service-role APIs and adds a cleanup migration for invalid tabular cells.
• Replaces direct frontend user_profiles access with safe backend profile APIs.
• Encrypts user LLM API keys at rest and only returns has_*_api_key booleans to the browser.
• Requires dedicated DOWNLOAD_SIGNING_SECRET and USER_API_KEYS_ENCRYPTION_KEY secrets.
• Validates uploaded PDF/DOC/DOCX bytes and DOCX structure before storage/conversion.
• Tightens tabular-review document authorization, project-review access, direct-share edit behavior, and chat project scoping.
• Removes sensitive raw LLM/document logging and unused frontend server-secret utilities.
• Updates vulnerable frontend/backend dependencies and adds targeted backend security tests.

Validation

• backend: npm test passed, 9 tests.
• backend: npm run build passed.
• frontend: npm run build passed with placeholder public env values.
• backend + frontend: npm audit --json reports 0 vulnerabilities.
• Local smoke test:
  • Backend /health returned 200.
  • Protected backend routes returned 401 without auth.
  • Browser smoke verified /login and /signup render, protected routes redirect to /login, and no Next error overlays or material console errors appeared.

Notes

Authenticated Supabase/R2 flows were not smoke-tested locally because this workspace only has example env files, not real local secrets.