security: httpOnly cookies, rate limiting, nginx headers, SSE sanitization

Auth / token storage:
- JWT is now set as an httpOnly Secure SameSite=Lax cookie on login
- Add POST /auth/logout endpoint that clears the cookie
- get_current_member falls back to rh_token cookie when no Authorization header
- WebSocket auth now accepts cookie (rh_token) or optional ?token= query param
- Frontend removes all localStorage JWT access; uses credentials:"include" on
  every fetch so the httpOnly cookie is sent automatically
- Replace clearToken() with logout() that calls the server logout endpoint
- Non-sensitive rh_session flag in localStorage used only for client-side routing

Rate limiting:
- Add slowapi>=0.1.9 dependency
- /auth/login limited to 10 req/min per IP
- /auth/register limited to 5 req/min per IP

Nginx security headers:
- Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy,
  X-XSS-Protection, Permissions-Policy to all responses

SSE error leakage:
- songs.py nc-scan/stream no longer leaks str(exc) to clients

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/src/api/client.ts

@@ -1,15 +1,21 @@
 const BASE = "/api/v1";
 
-function getToken(): string | null {
-  return localStorage.getItem("rh_token");
+// A non-sensitive flag in localStorage that tells the SPA whether the user has
+// an active session. The actual JWT lives in an httpOnly cookie and is never
+// readable by JavaScript. Clearing this flag is sufficient for client-side
+// route guards; the server still validates the cookie on every request.
+const SESSION_KEY = "rh_session";
+
+export function markLoggedIn(): void {
+  localStorage.setItem(SESSION_KEY, "1");
 }
 
-export function setToken(token: string): void {
-  localStorage.setItem("rh_token", token);
+export function markLoggedOut(): void {
+  localStorage.removeItem(SESSION_KEY);
 }
 
-export function clearToken(): void {
-  localStorage.removeItem("rh_token");
+export function isLoggedIn(): boolean {
+  return localStorage.getItem(SESSION_KEY) === "1";
 }
 
 async function request<T>(
@@ -17,20 +23,20 @@ async function request<T>(
   options: RequestInit = {},
   isFormData = false
 ): Promise<T> {
-  const token = getToken();
   const headers: Record<string, string> = {
     ...(options.headers as Record<string, string>),
   };
   if (!isFormData) {
     headers["Content-Type"] = "application/json";
   }
-  if (token) {
-    headers["Authorization"] = `Bearer ${token}`;
-  }
-  const resp = await fetch(`${BASE}${path}`, { ...options, headers });
+  const resp = await fetch(`${BASE}${path}`, {
+    ...options,
+    headers,
+    credentials: "include",  // send httpOnly cookie on every request
+  });
   if (!resp.ok) {
     if (resp.status === 401) {
-      clearToken();
+      markLoggedOut();
       window.location.href = "/login";
       throw new Error("Session expired");
     }