Fix critical and high security issues

- exec_script: relay now enforces admin role before forwarding to agent
- relay CORS: restrict allow_origins via ALLOWED_ORIGINS env var (docker-compose passes app URL)
- session-code: replace Math.random() with crypto.randomInt, add per-key rate limit (10 req/min)
- sessions GET: fix IDOR — users can only read their own sessions (admins see all)
- signal API: validate session ownership on create; enforce ownerUserId on all subsequent actions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/api/sessions/[id]/route.ts

@@ -8,17 +8,22 @@ export async function GET(
   _request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
 ) {
-  const session = await auth()
-  if (!session?.user?.id) {
+  const authSession = await auth()
+  if (!authSession?.user?.id) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
 
   const { id } = await params
+  const isAdmin = (authSession.user as { role?: string }).role === 'admin'
 
   const result = await db
     .select()
     .from(sessions)
-    .where(eq(sessions.id, id))
+    .where(
+      isAdmin
+        ? eq(sessions.id, id)
+        : and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id))
+    )
     .limit(1)
 
   if (!result[0]) {
@@ -32,8 +37,8 @@ export async function PATCH(
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
 ) {
-  const session = await auth()
-  if (!session?.user?.id) {
+  const authSession = await auth()
+  if (!authSession?.user?.id) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
 
@@ -47,7 +52,7 @@ export async function PATCH(
   await db
     .update(sessions)
     .set(updates)
-    .where(and(eq(sessions.id, id), eq(sessions.viewerUserId, session.user.id)))
+    .where(and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id)))
 
   return NextResponse.json({ success: true })
 }