Security hardening follow-ups from Kratos scan

[chendingplano]

Summary

Track remediation work from local Kratos security review.

Already done

• Moved Kratos DB connection from hardcoded YAML to env var (DSN) usage
• Added admin authorization middleware for /admin/* in backend/main.go
• Added kratos/kratos-production.yml to .gitignore
• Removed unused local Docker compose workflow (docker-compose.yml)

Remaining actions

• Set log.leak_sensitive_values: false in local kratos/kratos.yml
• Rotate and revoke exposed credentials (Resend API key, Google OAuth client secret, DB credentials, Kratos/UI secrets)
• Remove any residual plaintext secrets from non-gitignored files and docs
• Ensure bcrypt cost is 12 in active configs
• Standardize role source of truth for admin checks (metadata_admin.role preferred) and document onboarding for admin users
• Verify local/dev startup scripts export DSN before kratos serve and kratos migrate

Acceptance criteria

• No hardcoded secrets remain in tracked files
• Local and production configs both run without secret leakage in logs
• /admin/* returns 403 for authenticated non-admin users
• Security checklist documented in repo docs