security: implement 6 high-severity vulnerability fixes

HIGH-SEVERITY FIXES (Fase 2):

1. Rate Limiting (Vulnerabilidade 2.1)
   - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
   - Applied to all /api/* routes
   - Standard headers for retry-after

2. CORS Restrictions (Vulnerabilidade 2.2)
   - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
   - Localhost only in development
   - CORS blocking logs

3. Input Validation with Zod (Vulnerabilidade 2.4)
   - Generic validateRequest() middleware
   - Schemas: WordPress Monitor, server metrics, dashboard, financial
   - Applied to api/routes/wp-monitor.ts POST endpoint
   - Detailed field-level error messages

4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
   - Enabled via OIDC_ENABLED=true
   - Bearer token validation on all APIs
   - Backward compatible (disabled by default)

5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
   - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
   - Generates ed25519 key, copies to 6 servers
   - Instructions to remove passwords from .env
   - .env.example updated with SSH_PRIVATE_KEY_PATH

6. Improved Error Handling (Vulnerabilidade 2.5)
   - Unique error IDs (UUID) for tracking
   - Structured JSON logs in production
   - Stack traces blocked in production
   - Generic messages to client

FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies

DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x

AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47: PASSED

PROGRESS:
- Phase 1 (Critical): 3/3 ✅ COMPLETE
- Phase 2 (High): 6/6 ✅ COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.env.example

@@ -1,24 +1,85 @@
+# ============================================================================
 # Database Configuration
+# ============================================================================
+# OBRIGATÓRIO: Credenciais da base de dados MySQL
 DB_HOST=localhost
 DB_USER=ealmeida_desk24
 DB_PASS=your_password_here
 DB_NAME=ealmeida_desk24
 
+# ============================================================================
 # API Configuration
+# ============================================================================
 API_PORT=3001
+NODE_ENV=development
+
+# Frontend URL (desenvolvimento)
 FRONTEND_URL=http://localhost:5173
 
+# ============================================================================
+# Security - OIDC Authentication (OPCIONAL)
+# ============================================================================
+# Ativar autenticação OIDC nas APIs (true/false)
+# Se ativado, todas as APIs exigirão Bearer token
+OIDC_ENABLED=false
+OIDC_SECRET=your_oidc_secret_here
+OIDC_ISSUER=https://auth.descomplicar.pt
+OIDC_CLIENT_ID=your_client_id_here
+
+# ============================================================================
+# WordPress Monitor API
+# ============================================================================
+# OBRIGATÓRIO: API key para autenticar requests do WordPress Monitor plugin
+WP_MONITOR_API_KEY=your_secure_random_key_here
+
+# ============================================================================
 # Hetzner Cloud API
+# ============================================================================
 HETZNER_TOKEN=your_hetzner_api_token_here
 
-# SSH Servers (for metrics collection)
+# ============================================================================
+# SSH Servers - Key-Based Authentication (RECOMENDADO)
+# ============================================================================
+# Caminho para chave privada SSH
+SSH_PRIVATE_KEY_PATH=/home/user/.ssh/dashboard-descomplicar
+
+# Servidores SSH
 SERVER_HOST=176.9.3.158
 SERVER_USER=root
-SERVER_PASS=your_cwp_server_password
 
 EASY_HOST=178.63.18.51
 EASY_USER=root
-EASY_PASS=your_easypanel_password
 
-# Production URLs
+MCPHUB_HOST=mcp-hub.descomplicar.pt
+MCPHUB_USER=root
+
+MEET_HOST=meet.descomplicar.pt
+MEET_USER=root
+
+WHATSAPP_HOST=whatsapp.descomplicar.pt
+WHATSAPP_USER=root
+
+WHATSMS_HOST=whatsms.descomplicar.pt
+WHATSMS_USER=root
+
+# ============================================================================
+# SSH Servers - Password Authentication (LEGACY - NÃO RECOMENDADO)
+# ============================================================================
+# AVISO: Passwords SSH em plaintext são inseguras!
+# Use SSH_PRIVATE_KEY_PATH em vez disso
+# Para migrar: execute o script /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
+#
+# SERVER_PASS=your_cwp_server_password
+# EASY_PASS=your_easypanel_password
+# MCPHUB_PASS=your_password
+# MEET_PASS=your_password
+# WHATSAPP_PASS=your_password
+# WHATSMS_PASS=your_password
+
+# ============================================================================
+# Production Configuration
+# ============================================================================
+# Para produção, descomentar e configurar:
+# NODE_ENV=production
 # FRONTEND_URL=https://dash.descomplicar.pt
+# OIDC_ENABLED=true