fix: corrections critiques sécurité et robustesse

Sécurité :
- CORS restreint aux origines connues (plus de *)
- Clés Flask sécurisées (secrets.token_hex)
- .env.local vérifié non commité

Robustesse :
- Queues replay bornées (max 500 actions, cleanup TTL 1h)
- Vol cross-session supprimé dans /replay/next
- Backoff exponentiel polling agent (1s → 30s max)
- Nettoyage sessions mémoire TTL 24h
- Fix fuite file descriptors upload images
- Fix exceptions silencieuses compression images

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

agent_chat/app.py

@@ -77,7 +77,8 @@ logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
 
 app = Flask(__name__)
-app.config['SECRET_KEY'] = 'rpa-vision-v3-secret'
+import secrets as _secrets
+app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY', _secrets.token_hex(32))
 socketio = SocketIO(app, cors_allowed_origins="*")
 
 # Global state

visual_workflow_builder/backend/app.py

@@ -42,7 +42,8 @@ logging.getLogger().addHandler(_file_handler)
 logging.getLogger().setLevel(logging.INFO)
 
 # Configuration
-app.config['SECRET_KEY'] = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
+import secrets as _secrets
+app.config['SECRET_KEY'] = os.getenv('SECRET_KEY', _secrets.token_hex(32))
 app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv('DATABASE_URL', 'sqlite:///vwb_v3.db')
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
 app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024  # 10MB max upload