fix(portal): security hardening for pilot readiness

- C1: Rewrite /api/usage to resolve teamId server-side from tenant CR;
  customers can no longer pass arbitrary teamId (IDOR fix)
- C2: Remove POST /api/tenants — tenants are only created via admin
  approval flow
- H1: Validate packages against catalog, workspaceFiles against allowlist,
  and field lengths in PATCH /api/tenants/[name]
- H2: Remove full ZITADEL profile claims logging from JWT callback
- H3: Add safeError() utility; sanitize all error responses to clients,
  toggle raw errors via PORTAL_DEBUG_ERRORS=true
- H4/H5: Escape HTML entities in all email templates (contactName,
  companyName, adminNotes)

src/lib/errors.ts

@@ -0,0 +1,37 @@
+/**
+ * Error sanitization for API responses.
+ *
+ * By default, returns a generic message to the client and logs the full
+ * error server-side. Set PORTAL_DEBUG_ERRORS=true to return the raw
+ * error message to the client (useful during development/debugging).
+ */
+
+const DEBUG_ERRORS = process.env.PORTAL_DEBUG_ERRORS === "true";
+
+/**
+ * Returns a safe error string for API responses.
+ *
+ * - In debug mode (PORTAL_DEBUG_ERRORS=true): returns the raw e.message
+ * - In production mode: returns the fallback string and logs the real error
+ *
+ * Recognises common HTTP status codes from k8s/vault errors and returns
+ * appropriate short messages even in production mode.
+ */
+export function safeError(e: unknown, fallback: string): string {
+  const err = e instanceof Error ? e : new Error(String(e));
+  const statusCode = (err as any).statusCode as number | undefined;
+
+  if (DEBUG_ERRORS) {
+    return err.message;
+  }
+
+  // Map well-known status codes to safe messages
+  if (statusCode === 404) return "Not found";
+  if (statusCode === 403) return "Forbidden";
+  if (statusCode === 409) return "Conflict";
+  if (statusCode === 401) return "Unauthorized";
+
+  // Log full error server-side, return generic to client
+  console.error(`${fallback}:`, err.message);
+  return fallback;
+}