M1 foundation: fix proxy, pool HTTP clients, split services, add ApiError + RLS

- Fix proxy body forwarding, round-robin load balancing, response streaming
- Pool reqwest::Client in proxy, control, and gateway (no per-request alloc)
- Harden CORS in gateway/main.rs (was allow_origin(Any), now uses ALLOWED_ORIGINS)
- Add common/src/error.rs: ApiError type with structured JSON responses
- Add common/src/rls.rs: RlsTransaction extractor for deduplicated RLS setup
- Fix tracing in all standalone binaries (EnvFilter instead of unused var)
- Dockerfile multi-stage: separate worker-runtime, control-runtime, proxy-runtime targets
- docker-compose.yml: split into worker/system/proxy services with health checks
- Fix Grafana port mapping in pillar-system (3030:3000)
- Add config/prometheus.yml and config/vmagent.yml
- Add .env.example with all required variables
- 55 tests pass (49 run + 6 ignored integration tests requiring external services)

Made-with: Cursor

realtime/src/ws.rs

@@ -152,14 +152,34 @@ async fn handle_socket(socket: WebSocket, state: RealtimeState, project_ctx: Pro
 
                                 match event.as_str() {
                                     "phx_join" => {
-                                        // Auth Check
+                                        // Auth Check - REQUIRED
                                         let token = payload.get("access_token").and_then(|v| v.as_str());
-                                        if let Some(jwt) = token {
+                                        let jwt_valid = if let Some(jwt) = token {
                                             let validation = Validation::new(Algorithm::HS256);
                                             match decode::<Claims>(jwt, &DecodingKey::from_secret(project_ctx.jwt_secret.as_bytes()), &validation) {
-                                                Ok(data) => { _user_claims = Some(data.claims); },
-                                                Err(_) => { tracing::warn!("Invalid JWT in join"); }
+                                                Ok(data) => {
+                                                    _user_claims = Some(data.claims);
+                                                    true
+                                                },
+                                                Err(e) => {
+                                                    tracing::warn!("Invalid JWT in join: {}", e);
+                                                    false
+                                                }
                                             }
+                                        } else {
+                                            false
+                                        };
+
+                                        if !jwt_valid {
+                                            let reply = serde_json::json!([
+                                                join_ref,
+                                                r#ref,
+                                                topic,
+                                                "phx_reply",
+                                                { "status": "error", "response": { "reason": "unauthorized" } }
+                                            ]);
+                                            let _ = tx_internal.send(reply.to_string()).await;
+                                            continue;
                                         }
 
                                         subscriptions.insert(topic.clone());