feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6)
Implement CSRF protection and origin checks per plan §9:
**Session endpoints (session.rs):**
- admin_login now sets HttpOnly, Secure, SameSite=Strict cookie with sealed session ID
- Returns JSON with session_id, csrf_token, expires_at in response body
- Origin checked against admin_ui.allowed_origins (default "same-origin")
**Admin UI (admin_ui.rs):**
- Add CSP header to all Admin UI responses
- CSP template from admin_ui.csp with csp_overrides merged additively
**Tests (auth.rs):**
- CSRF token generation, extraction, and validation
- Origin validation: same-origin, specific origins, wildcard, referer fallback
- CSP header builder: base template and overrides merging
**Pre-existing (already implemented):**
- CSRF middleware validates X-CSRF-Token on state-changing requests
- Bearer tokens bypass CSRF (non-simple header forces CORS preflight)
- Config validation rejects wildcard in csp_overrides
Acceptance criteria met:
- Cookie-auth POST without X-CSRF-Token → 403 missing_csrf
- Cookie-auth POST with wrong token → 403 csrf_mismatch
- Bearer-auth POST without X-CSRF-Token → 200 (bypasses CSRF)
- Session endpoint with Origin not in allowed_origins → 403
- csp_overrides merging works correctly
- Wildcard (*) in csp_overrides rejected by validation
Closes: miroir-46p.6
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>