cd20ffb580
Five tests covering platform-wide guarantees: expired-token redirect, HttpOnly session cookie, bootstrap password not leaked into the DOM after login, missing-app slug fails gracefully, and an XSS-sink probe across the main authed routes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>