- Fix pgx/v5 SQL placeholder bug (? -> /) in tenant_handlers.go
- tenant_id was silently failing to write/read, causing empty TenantID in JWT
- Harden requireSOC middleware to BLOCK when TenantID is empty (was pass-through)
- Block paid plan upgrades without Stripe payment verification
- Add in-memory cache update for tenant_id on registration
- Add fallback tenant_id read from User object in HandleVerifyEmail
C1: Remove verification_code_dev from API response (CVSS 9.8)
- Code now logged server-side only when email service not configured
C2: Tenant isolation on /api/auth/users (CVSS 9.1)
- HandleListUsers filters by claims.TenantID
- TenantID added to User struct, DB migration, persistUser, loadFromDB
C3: Include TenantID in JWT tokens (CVSS 8.8)
- Login handler now uses Sign() with full Claims including TenantID
- Enables downstream RBAC tenant filtering
M1: nginx server_tokens off (hide version fingerprint)
M2: syntrex.pro added to server_name
M3: CORS multi-origin support (SOC_CORS_ORIGIN=origin1,origin2)
