feat: enterprise-grade auth -- HttpOnly cookie sessions, CSRF, lockout, session limits

[Aureliolo]

Summary

Enterprise-grade auth hardening for multi-user deployments. Replaces sessionStorage JWT tokens with HttpOnly cookie sessions, adds CSRF protection, concurrent session limits, account lockout, and refresh token infrastructure.

Backend

• HttpOnly cookie sessions: Login/setup set Set-Cookie: session=<JWT>; HttpOnly; Secure; SameSite=Strict instead of returning JWT in response body. CookieSessionResponse replaces TokenResponse
• CSRF middleware: Custom ASGI double-submit cookie pattern -- validates X-CSRF-Token header against csrf_token cookie on mutating requests. Skips API key requests (no cookie = no CSRF risk). Exempt paths for login/setup
• Cookie-first auth middleware: Reads JWT from session cookie first, falls back to Authorization header for API keys and system user CLI JWTs
• Concurrent session limits: max_concurrent_sessions config (default 5), enforce_session_limit() revokes oldest sessions on exceed
• Account lockout: Hybrid in-memory + SQLite LockoutStore -- tracks failed login attempts per username, enforces temp lockout after threshold (default 10 in 15 min), timing-safe dummy hash on locked accounts, load_locked() restores state after restart
• Refresh token store: SQLite-backed RefreshStore with HMAC-SHA256 hashed tokens, single-use consume via UPDATE...RETURNING (no TOCTOU), replay detection, session/user revocation cascade
• Password change rotates cookie: New JWT + session cookies issued on password change
• Logout: Clears all cookies + Clear-Site-Data: "cookies" header
• AuthConfig: 15 new fields (cookie, CSRF, session limits, lockout, refresh) with NotBlankStr validation, cross-field validators

Frontend

• Remove all sessionStorage token management: No more auth_token in sessionStorage, no expiry timer, no Authorization header injection
• Tri-state auth: authStatus: 'unknown' | 'authenticated' | 'unauthenticated' replaces !!token check. checkSession() calls /auth/me on page load
• CSRF interceptor: Reads non-HttpOnly csrf_token cookie, attaches X-CSRF-Token header on POST/PUT/PATCH/DELETE
• withCredentials: true on Axios client + credentials: 'include' on SSE fetch
• Route guards: Tri-state loading/redirect/render in AuthGuard/GuestGuard
• Session management API: listSessions(scope), revokeSession(id), async logout()

Test coverage

• 205 backend auth tests (60+ new), 2418 frontend tests pass
• New test files: test_cookies.py, test_csrf.py, test_lockout_store.py, test_refresh_store.py
• Updated: test_middleware.py, test_controller.py, test_config.py, test_session_store.py, test_app.py, test_errors.py, test_migrations.py, test_ws.py + 8 frontend test files

Review coverage

Pre-reviewed by 11 agents, 28 findings addressed:

• Security reviewer, code reviewer, issue resolution verifier, silent failure hunter, type design analyzer, comment analyzer, test analyzer, async concurrency reviewer, API contract drift, frontend reviewer, docs consistency, persistence reviewer

Documentation

• docs/security.md updated with new threat model (HttpOnly cookies, CSRF, lockout, refresh tokens, concurrent sessions)
• CLAUDE.md package structure updated with new auth modules
• docs/design/operations.md auth endpoint description updated

Test plan

uv run python -m pytest tests/unit/api/auth/ -n 8     # 205 auth tests
uv run python -m pytest tests/ -n 8                    # full suite
npm --prefix web run test                              # 2418 frontend tests
npm --prefix web run lint && npm --prefix web run type-check

Closes #1068