M0 security hardening: fix all vulnerabilities and resolve build errors

- Fix 5 source files corrupted with markdown formatting by previous AI
- Remove secret logging from auth middleware, signup, and recovery handlers
- Add role validation (ALLOWED_ROLES allowlist) to all 10 data_api + storage handlers
- Fix JavaScript injection in Deno runtime via double-serialization
- Add UUID validation to TUS upload paths to prevent path traversal
- Gate token issuance on email confirmation (AUTH_AUTO_CONFIRM env var)
- Reject unconfirmed users on login with 403
- Prevent OAuth account takeover (409 on email conflict with different provider)
- Replace permissive CORS (allow_origin Any) with ALLOWED_ORIGINS env var
- Wire session-based admin auth into control plane, add POST /platform/v1/login
- Hide secrets from list_projects API via ProjectSummary struct
- Add missing deps (redis, uuid, chrono, tower-http fs feature)
- Fix http version mismatch between reqwest 0.11 and axum 0.7 in proxy
- Clean up all unused imports across workspace

Build: zero errors, zero warnings. Tests: 10 passed, 0 failed.
Made-with: Cursor

gateway/Cargo.toml

@@ -23,7 +23,13 @@ dotenvy = { workspace = true }
 anyhow = { workspace = true }
 axum-prometheus = "0.6"
 tower_governor = "0.4.2"
-tower-http = { version = "0.6.8", features = ["cors", "trace"] }
+tower-http = { version = "0.6.8", features = ["cors", "trace", "fs"] }
 moka = { version = "0.12.14", features = ["future"] }
 reqwest = { version = "0.11", features = ["json"] }
+uuid = { workspace = true }
+chrono = { workspace = true }
+redis = { workspace = true }
+
+[dev-dependencies]
+tower = "0.5"