Harden Parcel Society MVP for deployment

[Spbd1]

Motivation

• Prepare the web API and server-side services for safe production by enforcing server-side validation, authorization, and constraints rather than relying on client-side checks.
• Add lightweight protections (rate limiting, audit logging), consistent error handling, and CI/build changes so the app can be reliably deployed and operated.

Description

• Validation: tightened Zod schemas to .strict() and added a max(3) limit on submitted decisions, plus explicit JSON/validation error mapping in apps/web/lib/api/schemas.ts and apps/web/lib/api/responses.ts.
• Authorization & constraints: added requireSuperAdminAuth, hardened participant checks, prevented duplicate joins, disallowed actions after exit, enforced exit-as-final-action and inactive-round protection, and limited exposed participant state (removed wealth/reputation for other players) in apps/web/lib/services/game.ts, apps/web/lib/api/auth.ts, and apps/web/app/api/servers/[serverId]/state/route.ts.
• Rate limiting & audit logs: implemented a small in-memory rateLimit helper and applied it to admin login, join, decision submission, and export endpoints, and added recordAdminAction to record admin actions (create/update/start/generate/resolve/archive/export) into the auditLog model via apps/web/lib/api/audit.ts and wired calls in admin routes.
• Error handling & client UX: unified API error shape and server-side logging for 4xx/5xx conditions, added friendly client-side error mapping and a typed ApiClientError in apps/web/app/components/api.ts.
• Tests & CI: added Vitest tests covering schema validation, rate limiting, authorization and decision constraints (apps/web/lib/api/hardening.test.ts, apps/web/lib/api/auth.test.ts, packages/engine/src/hardening.test.ts) and added a GitHub Actions CI workflow that runs install, Prisma client generation, typecheck, lint, test, and build (.github/workflows/ci.yml).
• Production/build: updated apps/web/Dockerfile to include workspace package manifests and to run Prisma client generation before the Next build, and expanded next.config.ts to transpile workspace packages needed in the standalone build.

Testing

• git diff --check was run and passed locally.
• Unit tests were added (vitest) but executing the workspace test/typecheck/lint/build pipelines was blocked because pnpm install failed in this environment due to a registry 403 when fetching @eslint/js, causing missing dev/runtime dependencies and preventing tsc, eslint, vitest, and Prisma client generation from running successfully.
• Attempts to run pnpm typecheck, pnpm lint, pnpm test, and pnpm build were therefore attempted but could not complete due to the failed dependency install (missing @prisma/client, vitest, @eslint/js, etc.).
• docker build was attempted but could not be executed in this environment because Docker is not available; the Dockerfile was updated to run a production-safe build including Prisma generation and Next standalone output.

---

Codex Task