Fix auth security issues, add rate limiting, write Phase 2 audit

Security fixes:
- Register route validates company exists before creating user
- Rate limiting on auth routes (10 per 15min per IP)
- Dev auth plugin guards against production use
- Main.ts throws if JWT_SECRET missing in production

Added Phase 2 audit doc (22) covering:
- Built vs planning doc comparison
- Security review with fixes applied
- Duplicate code patterns identified
- Standard POS feature gap analysis
- Music-specific feature gaps

33 tests passing.

packages/backend/package.json

@@ -14,16 +14,17 @@
     "db:seed": "bun run src/db/seed.ts"
   },
   "dependencies": {
+    "@fastify/cors": "^10",
+    "@fastify/jwt": "^9",
+    "@fastify/rate-limit": "^10.3.0",
     "@forte/shared": "workspace:*",
+    "bcrypt": "^6",
+    "drizzle-orm": "^0.38",
     "fastify": "^5",
     "fastify-plugin": "^5",
-    "@fastify/cors": "^10",
-    "drizzle-orm": "^0.38",
-    "postgres": "^3",
     "ioredis": "^5",
-    "zod": "^4",
-    "@fastify/jwt": "^9",
-    "bcrypt": "^6"
+    "postgres": "^3",
+    "zod": "^4"
   },
   "devDependencies": {
     "typescript": "^5",