fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.

HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
  auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)

MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)

Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.

crates/zclaw-pipeline/src/actions/mod.rs

@@ -131,10 +131,7 @@ impl ActionRegistry {
         json_mode: bool,
     ) -> Result<Value, ActionError> {
         tracing::debug!(target: "pipeline_actions", "execute_llm: Called with template length: {}", template.len());
-        tracing::debug!(target: "pipeline_actions", "execute_llm: Input HashMap contents:");
-        for (k, v) in &input {
-            tracing::debug!(target: "pipeline_actions", "  {} => {:?}", k, v);
-        }
+        tracing::debug!(target: "pipeline_actions", "execute_llm: input keys ({}): {:?}", input.len(), input.keys().collect::<Vec<_>>());
 
         if let Some(driver) = &self.llm_driver {
             // Load template if it's a file path

crates/zclaw-pipeline/src/executor.rs

@@ -186,22 +186,17 @@ impl PipelineExecutor {
             match action {
                 Action::LlmGenerate { template, input, model, temperature, max_tokens, json_mode } => {
                     tracing::debug!(target: "pipeline_executor", "LlmGenerate action called");
-                    tracing::debug!(target: "pipeline_executor", "Raw input map:");
-                    for (k, v) in input {
-                        tracing::debug!(target: "pipeline_executor", "  {} => {}", k, v);
-                    }
+                    tracing::debug!(target: "pipeline_executor", "input keys: {:?}", input.keys().collect::<Vec<_>>());
 
                     // First resolve the template itself (handles ${inputs.xxx}, ${item.xxx}, etc.)
                     let resolved_template = context.resolve(template)?;
                     let resolved_template_str = resolved_template.as_str().unwrap_or(template).to_string();
-                    tracing::debug!(target: "pipeline_executor", "Resolved template (first 300 chars): {}",
-                        &resolved_template_str[..resolved_template_str.len().min(300)]);
+                    tracing::debug!(target: "pipeline_executor", "Resolved template ({} chars, first 100): {}",
+                        resolved_template_str.len(),
+                        &resolved_template_str[..resolved_template_str.len().min(100)]);
 
                     let resolved_input = context.resolve_map(input)?;
-                    tracing::debug!(target: "pipeline_executor", "Resolved input map:");
-                    for (k, v) in &resolved_input {
-                        tracing::debug!(target: "pipeline_executor", "  {} => {:?}", k, v);
-                    }
+                    tracing::debug!(target: "pipeline_executor", "Resolved input keys: {:?}", resolved_input.keys().collect::<Vec<_>>());
                     self.action_registry.execute_llm(
                         &resolved_template_str,
                         resolved_input,