SECURITY: Eliminate complex fallback storage, enforce environment variables

Core changes:
- Remove file/database fallback storage complexity
- Enforce JWT_SECRET and DATABASE_KEY as environment variables only
- Auto-generate keys on first startup with clear user guidance
- Eliminate circular dependencies and storage layer abstractions

Security improvements:
- Single source of truth for secrets (environment variables)
- No persistent storage of secrets in files or database
- Clear deployment guidance for production environments
- Simplified attack surface by removing storage complexity

WebSocket authentication:
- Implement JWT authentication for WebSocket handshake
- Add connection limits and user tracking
- Update frontend to pass JWT tokens in WebSocket URLs
- Configure Nginx for authenticated WebSocket proxy

Additional fixes:
- Replace CORS wildcard with specific origins
- Remove password logging security vulnerability
- Streamline encryption architecture following Linus principles

src/backend/database/database.ts

@@ -20,7 +20,16 @@ import { UserDataImport } from "../utils/user-data-import.js";
 const app = express();
 app.use(
   cors({
-    origin: "*",
+    // SECURITY: Specific origins only - no wildcard for production safety
+    origin: process.env.ALLOWED_ORIGINS ?
+      process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()) :
+      [
+        "http://localhost:3000",   // Development React
+        "http://localhost:5173",   // Development Vite
+        "http://127.0.0.1:3000",   // Local development
+        "http://127.0.0.1:5173",   // Local development
+      ],
+    credentials: true, // Enable credentials for secure cookies/auth
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: [
       "Content-Type",