fix: harden runtime and deployment defaults

[gabedalmolin]

Summary

Harden the remaining runtime and deployment defaults that were still pulling the repository below a truly production-safe posture.

What changed

• pin the Railway CLI version in the deploy workflow so release promotion is deterministic and does not depend on latest
• fail fast on invalid token duration configuration during environment parsing instead of deferring that failure to the first auth request
• keep production metrics disabled by default and support optional bearer protection through METRICS_AUTH_TOKEN when /metrics is exposed
• replace regex-based bearer parsing with explicit header parsing to avoid CodeQL's uncontrolled polynomial regex finding on request headers
• bound the in-memory rate-limit fallback store so a Redis outage with high-cardinality traffic cannot grow the fallback map without limit
• extend tests and docs to cover the hardened behaviour and the intended production defaults

Validation

• npm run lint
• npm run typecheck
• npm test
• npm run test:integration when the change affects infrastructure-backed paths

Risks/Notes

• METRICS_AUTH_TOKEN is optional by design so local observability remains simple, but any non-local metrics exposure should either use that token or stay private at the network layer.
• The Railway CLI version is now intentionally pinned. Future upgrades should happen through normal review instead of drifting at deploy time.