chore: security hardening, mobile PWA fix & analysis expansion

- Applied strict RLS and auth validation to tracking/credit services
- Set Service Worker to Network First to fix mobile session/loading issues
- Expanded Gemini analysis summary to show distilled/bottled/batch info
- Updated SQL schema document with hardening policies

src/services/track-api-usage.ts

@@ -35,6 +35,13 @@ export async function trackApiUsage(params: TrackApiUsageParams): Promise<{ succ
     try {
         const supabase = createServerComponentClient({ cookies });
 
+        // Security check: Ensure user is only tracking their own usage
+        const { data: { user } } = await supabase.auth.getUser();
+        if (!user || user.id !== params.userId) {
+            console.error('Unauthorized API tracking attempt');
+            return { success: false, error: 'Nicht autorisiert' };
+        }
+
         const { error } = await supabase
             .from('api_usage')
             .insert({