fix(prod): harden production configuration for launch

- Gate Swagger/ReDoc/OpenAPI behind DEBUG (no public API schema in prod)
- Sentry send_default_pii only in dev (no auth headers/bodies in events)
- Remove alembic from Dockerfile CMD (releaseCommand owns migrations; CMD copy raced across replicas/restarts)
- Decouple rate limiting from DEBUG via RATE_LIMIT_ENABLED (PR envs with DEBUG=true were unlimited); tests disable the live limiter in conftest
- max_instances=1 on the 4 scheduler jobs missing it
- Boot-time failure when SELF_SERVE_ENABLED without RESEND_API_KEY/ANTHROPIC_API_KEY/FRONTEND_URL
- Reject localhost OAUTH_REDIRECT_BASE outside DEBUG
- pool_pre_ping + pool_recycle on the app engine
- Frontend: DEV-gate stale-async console.warn; document VITE_SELF_SERVE_ENABLED fallback semantics in Dockerfile

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/Dockerfile

@@ -24,5 +24,6 @@ COPY . .
 # Expose port (Railway uses PORT env variable)
 EXPOSE 8000
 
-# Run migrations then start the application
-CMD alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8000}
+# Migrations run exclusively via Railway releaseCommand (scripts/release) —
+# running them here too would race across replicas/restarts.
+CMD uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8000}