fix: address multiple code audit findings

- CORS: replace wildcard with explicit origin list from CORS_ORIGINS env
- Auth: enforce strong defaults, JWT blacklist (RevokedToken model), login rate limiting
- Auth: validate password length before bcrypt (72-byte limit)
- Scheduler: single-threaded worker to mitigate SQLite write contention
- Scheduler: graceful shutdown (wait=True)
- Snapshots: add prune_snapshots() with configurable retention count
- Storage: isolate localStorage keys via VITE_APP_KEY prefix
- Config: add cors_origins, login_rate_limit, snapshot_retention_count settings

backend/app/services/snapshot_service.py

@@ -1,6 +1,10 @@
 """Snapshot diff logic."""
 from typing import Any, Optional
 
+from sqlalchemy.orm import Session
+
+from app.models.snapshot import UpstreamRateSnapshot
+
 
 def diff_snapshots(
     previous: Optional[dict[str, Any]],
@@ -37,3 +41,20 @@ def diff_snapshots(
                 "new_rate": None,
             })
     return changes
+
+
+def prune_snapshots(db: Session, upstream_id: int, keep: int) -> None:
+    if keep <= 0:
+        return
+    stale_ids = [
+        row_id
+        for (row_id,) in (
+            db.query(UpstreamRateSnapshot.id)
+            .filter(UpstreamRateSnapshot.upstream_id == upstream_id)
+            .order_by(UpstreamRateSnapshot.captured_at.desc(), UpstreamRateSnapshot.id.desc())
+            .offset(keep)
+            .all()
+        )
+    ]
+    if stale_ids:
+        db.query(UpstreamRateSnapshot).filter(UpstreamRateSnapshot.id.in_(stale_ids)).delete(synchronize_session=False)