fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3):
- Replace hardcoded admin credentials with secure auto-generation (seed.py)
- Enforce SECRET_KEY configuration, fail in production if missing (config.py)
- Add Zip Slip and Zip Bomb protection to all ZIP import services

High/Medium (4-9):
- Add 50MB file size limit and extension whitelist to evidence uploads
- Configure CORS origins via environment variable instead of hardcoded
- Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend)
- Add rate limiting (5/min) on login endpoint via slowapi
- Replace generic dict payloads with Pydantic schemas (mass assignment)

Medium (10-17):
- Check is_active on login to prevent disabled users from authenticating
- Sanitize exception messages in API responses (system, data_sources)
- Escape LIKE wildcards in all ilike search filters across 8 routers
- Run Docker container as non-root user (appuser)
- Make MINIO_SECURE configurable via environment variable
- Add password complexity policy (12+ chars, upper/lower/digit/special)
- Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min
- Replace xml.etree with defusedxml to prevent Billion Laughs attacks

Low (18-20):
- Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.)
- Disable Swagger UI/ReDoc/OpenAPI in production
- Restrict /health endpoint to internal networks via Nginx ACL

Also: rewrite install.sh as interactive wizard for guided deployment,
fix test-from-template validation error (technique_id UUID vs MITRE ID)

frontend/src/api/auth.ts

@@ -1,25 +1,32 @@
 import client from "./client";
 import type { User } from "../types/models";
 
-interface TokenResponse {
-  access_token: string;
-  token_type: string;
-}
-
-/** Authenticate and return the access token. */
+/**
+ * Authenticate the user.
+ *
+ * The backend sets an HttpOnly cookie with the JWT — no token is stored
+ * in JavaScript memory or localStorage.
+ */
 export async function login(
   username: string,
   password: string,
-): Promise<string> {
+): Promise<void> {
   const params = new URLSearchParams();
   params.append("username", username);
   params.append("password", password);
 
-  const { data } = await client.post<TokenResponse>("/auth/login", params, {
+  await client.post("/auth/login", params, {
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
   });
+}
 
-  return data.access_token;
+/** Clear the authentication cookie on the server. */
+export async function logout(): Promise<void> {
+  try {
+    await client.post("/auth/logout");
+  } catch {
+    // Best-effort — the cookie will expire anyway
+  }
 }
 
 /** Fetch the currently authenticated user profile. */

frontend/src/api/client.ts

@@ -5,15 +5,8 @@ const API_BASE_URL = import.meta.env.VITE_API_URL || "/api/v1";
 const client = axios.create({
   baseURL: API_BASE_URL,
   headers: { "Content-Type": "application/json" },
-});
-
-// Attach the JWT token on every request (if present)
-client.interceptors.request.use((config) => {
-  const token = localStorage.getItem("token");
-  if (token) {
-    config.headers.Authorization = `Bearer ${token}`;
-  }
-  return config;
+  // Send the HttpOnly cookie automatically on every request
+  withCredentials: true,
 });
 
 // Response interceptor for error handling
@@ -22,9 +15,8 @@ client.interceptors.response.use(
   (error: AxiosError<{ detail?: string; code?: string }>) => {
     const status = error.response?.status;
     
-    // On 401, clear token and redirect to login
+    // On 401, redirect to login (cookie is managed by the browser)
     if (status === 401) {
-      localStorage.removeItem("token");
       // Only redirect if not already on login page
       if (window.location.pathname !== "/login") {
         window.location.href = "/login";

frontend/src/components/EvidenceUpload.tsx

@@ -93,7 +93,7 @@ export default function EvidenceUpload({ onUpload, isUploading }: EvidenceUpload
           )}
         </p>
         <p className="mt-1 text-xs text-gray-500">
-          Screenshots, logs, pcap files, etc.
+          Screenshots, logs, pcap files, etc. (max 50 MB)
         </p>
       </div>
 

frontend/src/context/AuthContext.tsx

@@ -6,7 +6,11 @@ import {
   useCallback,
   type ReactNode,
 } from "react";
-import { login as apiLogin, getMe } from "../api/auth";
+import {
+  login as apiLogin,
+  logout as apiLogout,
+  getMe,
+} from "../api/auth";
 import type { User } from "../types/models";
 
 /* ── Context shape ────────────────────────────────────────────────── */
@@ -27,29 +31,25 @@ export function AuthProvider({ children }: { children: ReactNode }) {
   const [user, setUser] = useState<User | null>(null);
   const [isLoading, setIsLoading] = useState(true);
 
-  // On mount — check for a persisted token and hydrate the user
+  // On mount — try to hydrate the user from the existing HttpOnly cookie.
+  // If no valid cookie exists the /auth/me call will 401 and we stay
+  // unauthenticated — no localStorage involved.
   useEffect(() => {
-    const token = localStorage.getItem("token");
-    if (!token) {
-      setIsLoading(false);
-      return;
-    }
-
     getMe()
       .then(setUser)
-      .catch(() => localStorage.removeItem("token"))
+      .catch(() => setUser(null))
       .finally(() => setIsLoading(false));
   }, []);
 
   const login = useCallback(async (username: string, password: string) => {
-    const token = await apiLogin(username, password);
-    localStorage.setItem("token", token);
+    // The backend sets the HttpOnly cookie automatically
+    await apiLogin(username, password);
     const me = await getMe();
     setUser(me);
   }, []);
 
-  const logout = useCallback(() => {
-    localStorage.removeItem("token");
+  const logout = useCallback(async () => {
+    await apiLogout();
     setUser(null);
   }, []);