Security audit: verify HttpOnly cookie JWT implementation pre-beta

[man4ish]

Goal

Confirm auth security hardening from May 2026 enterprise sprint is intact.

Checklist

• JWT tokens in HttpOnly cookies (not localStorage)
• CSRF protection on all state-changing endpoints
• Refresh token rotation working
• Token invalidation via Redis pub/sub
• Rate limiting on /auth/login (max 5 attempts/min)
• HTTPS enforced (HSTS header present)
• No sensitive data in JWT payload