- C1: Rewrite /api/usage to resolve teamId server-side from tenant CR;
customers can no longer pass arbitrary teamId (IDOR fix)
- C2: Remove POST /api/tenants — tenants are only created via admin
approval flow
- H1: Validate packages against catalog, workspaceFiles against allowlist,
and field lengths in PATCH /api/tenants/[name]
- H2: Remove full ZITADEL profile claims logging from JWT callback
- H3: Add safeError() utility; sanitize all error responses to clients,
toggle raw errors via PORTAL_DEBUG_ERRORS=true
- H4/H5: Escape HTML entities in all email templates (contactName,
companyName, adminNotes)
