test(miroir-proxy): add P10.6 CSRF posture acceptance tests (§9)
Add comprehensive acceptance tests for CSRF posture implementation:
- Cookie-auth POST without X-CSRF-Token → 403 missing_csrf
- Cookie-auth POST with wrong token → 403 csrf_mismatch
- Bearer-auth POST bypasses CSRF (plan §9)
- X-Admin-Key header bypasses CSRF
- Origin validation (same-origin, specific, wildcard, referer fallback)
- CSRF token generation and extraction
- CSP header builder merges overrides additively
- CSP config validation rejects wildcard in overrides
- CSRF middleware skips safe methods (GET, HEAD, OPTIONS)
- CSRF middleware skips non-admin paths
- CSRF middleware skips dispatch-exempt endpoints
- Admin session cookie extraction
- Cross-pod session seal verification (mismatch and match)
All 20 tests pass, validating the CSRF posture implementation
required for Admin UI and Search UI session endpoints.
Closes: miroir-46p.6
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3a61c94d25