C1: Remove verification_code_dev from API response (CVSS 9.8)
- Code now logged server-side only when email service not configured
C2: Tenant isolation on /api/auth/users (CVSS 9.1)
- HandleListUsers filters by claims.TenantID
- TenantID added to User struct, DB migration, persistUser, loadFromDB
C3: Include TenantID in JWT tokens (CVSS 8.8)
- Login handler now uses Sign() with full Claims including TenantID
- Enables downstream RBAC tenant filtering
M1: nginx server_tokens off (hide version fingerprint)
M2: syntrex.pro added to server_name
M3: CORS multi-origin support (SOC_CORS_ORIGIN=origin1,origin2)
