Codebase hardening: 102 fixes across 35+ files

Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas:

- Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker
- Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes
- Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic
- Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe
- Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support
- Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping
- Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing
- Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -25,6 +25,10 @@ services:
     environment:
       - DATABASE_URL=postgres://postgres:postgres@db:5432/werkout
       - REDIS_URL=redis://redis:6379
+      - SECRET_KEY=${SECRET_KEY:-insecure-dev-secret-key-change-in-production}
+      - DEBUG=${DEBUG:-true}
+      - ALLOWED_HOSTS=${ALLOWED_HOSTS:-*}
+      - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-}
     depends_on:
       db:
         condition: service_healthy
@@ -43,6 +47,8 @@ services:
     environment:
       - DATABASE_URL=postgres://postgres:postgres@db:5432/werkout
       - REDIS_URL=redis://redis:6379
+      - SECRET_KEY=${SECRET_KEY:-insecure-dev-secret-key-change-in-production}
+      - DEBUG=${DEBUG:-true}
     depends_on:
       - db
       - redis