Fix auth security issues, add rate limiting, write Phase 2 audit

Security fixes:
- Register route validates company exists before creating user
- Rate limiting on auth routes (10 per 15min per IP)
- Dev auth plugin guards against production use
- Main.ts throws if JWT_SECRET missing in production

Added Phase 2 audit doc (22) covering:
- Built vs planning doc comparison
- Security review with fixes applied
- Duplicate code patterns identified
- Standard POS feature gap analysis
- Music-specific feature gaps

33 tests passing.

packages/backend/src/main.ts

@@ -1,4 +1,5 @@
 import Fastify from 'fastify'
+import rateLimit from '@fastify/rate-limit'
 import { databasePlugin } from './plugins/database.js'
 import { redisPlugin } from './plugins/redis.js'
 import { corsPlugin } from './plugins/cors.js'
@@ -25,12 +26,16 @@ export async function buildApp() {
   await app.register(errorHandlerPlugin)
   await app.register(databasePlugin)
   await app.register(redisPlugin)
+  await app.register(rateLimit, { global: false })
 
-  // Auth — use JWT if secret is set, otherwise dev bypass
+  // Auth — JWT in production/test, dev bypass only in development without JWT_SECRET
   if (process.env.JWT_SECRET) {
     await app.register(authPlugin)
-  } else {
+  } else if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+    app.log.warn('JWT_SECRET not set — using dev auth bypass. DO NOT USE IN PRODUCTION.')
     await app.register(devAuthPlugin)
+  } else {
+    throw new Error('JWT_SECRET is required in production')
   }
 
   // Routes