fix: address code and security review findings for Phase 5

- Add nginx security headers (X-Frame-Options, X-Content-Type-Options, etc.)
- Fix postgres networking: add to app_network, comment out host port exposure
- Fix rate limit memory leak: add bounded eviction for stale thread entries
- Use immutable update pattern in rate limit check (no .append mutation)
- Extract _VERSION constant to avoid duplicate hardcoded version string

docker-compose.yml

@@ -5,8 +5,7 @@ services:
       POSTGRES_DB: smart_support
       POSTGRES_USER: smart_support
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-dev_password}
-    ports:
-      - "5432:5432"
+    # ports: ["5432:5432"]  # Uncomment for local dev DB access only
     volumes:
       - pgdata:/var/lib/postgresql/data
     healthcheck:
@@ -14,6 +13,8 @@ services:
       interval: 5s
       timeout: 3s
       retries: 5
+    networks:
+      - app_network
 
   backend:
     build: