fix(portal): security hardening for pilot readiness

- C1: Rewrite /api/usage to resolve teamId server-side from tenant CR;
  customers can no longer pass arbitrary teamId (IDOR fix)
- C2: Remove POST /api/tenants — tenants are only created via admin
  approval flow
- H1: Validate packages against catalog, workspaceFiles against allowlist,
  and field lengths in PATCH /api/tenants/[name]
- H2: Remove full ZITADEL profile claims logging from JWT callback
- H3: Add safeError() utility; sanitize all error responses to clients,
  toggle raw errors via PORTAL_DEBUG_ERRORS=true
- H4/H5: Escape HTML entities in all email templates (contactName,
  companyName, adminNotes)

src/app/api/admin/requests/[id]/approve/route.ts

@@ -14,6 +14,7 @@ import {
   getDefaultAgentsMd,
   generateToolsMd,
 } from "@/lib/workspace-defaults";
+import { safeError } from "@/lib/errors";
 
 /**
  * POST /api/admin/requests/[id]/approve
@@ -133,7 +134,7 @@ export async function POST(
   } catch (e: any) {
     console.error("Failed to create tenant:", e);
     return NextResponse.json(
-      { error: `Failed to create tenant: ${e.message}` },
+      { error: safeError(e, "Failed to create tenant") },
       { status: 500 }
     );
   }