security: httpOnly cookies, rate limiting, nginx headers, SSE sanitization

Auth / token storage:
- JWT is now set as an httpOnly Secure SameSite=Lax cookie on login
- Add POST /auth/logout endpoint that clears the cookie
- get_current_member falls back to rh_token cookie when no Authorization header
- WebSocket auth now accepts cookie (rh_token) or optional ?token= query param
- Frontend removes all localStorage JWT access; uses credentials:"include" on
  every fetch so the httpOnly cookie is sent automatically
- Replace clearToken() with logout() that calls the server logout endpoint
- Non-sensitive rh_session flag in localStorage used only for client-side routing

Rate limiting:
- Add slowapi>=0.1.9 dependency
- /auth/login limited to 10 req/min per IP
- /auth/register limited to 5 req/min per IP

Nginx security headers:
- Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy,
  X-XSS-Protection, Permissions-Policy to all responses

SSE error leakage:
- songs.py nc-scan/stream no longer leaks str(exc) to clients

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/src/pages/BandPage.tsx

@@ -123,11 +123,11 @@ export function BandPage() {
     setScanMsg(null);
     setScanProgress("Starting scan…");
 
-    const token = localStorage.getItem("rh_token");
-    const url = `/api/v1/bands/${bandId}/nc-scan/stream${token ? `?token=${encodeURIComponent(token)}` : ""}`;
+    const url = `/api/v1/bands/${bandId}/nc-scan/stream`;
 
     try {
-      const resp = await fetch(url);
+      // credentials: "include" sends the rh_token httpOnly cookie automatically
+      const resp = await fetch(url, { credentials: "include" });
       if (!resp.ok || !resp.body) {
         const text = await resp.text().catch(() => resp.statusText);
         throw new Error(text || `HTTP ${resp.status}`);