Move JWT from localStorage to HttpOnly cookie; fix CSRF

- JWT stored in HttpOnly, Secure, SameSite=Strict cookie — JS cannot
  read the token at all; SameSite=Strict prevents CSRF without tokens
- Non-sensitive user payload returned in response body and stored in
  localStorage for UI purposes only (not usable for auth)
- Add POST /api/auth/logout endpoint that clears the cookie server-side
- Add SECURE_COOKIES env var (default true) for local HTTP testing
- Extract login.html inline script to login.js (CSP compliance)
- Remove Authorization: Bearer header from API calls; add credentials:
  include so cookies are sent automatically
- CSP script-src includes unsafe-inline to support existing onclick
  handlers throughout the app

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nginx/html/js/api.js

@@ -2,14 +2,11 @@
 
 const API = {
     async _fetch(url, options = {}) {
-        const token = localStorage.getItem('token');
         const headers = { 'Content-Type': 'application/json' };
-        if (token) headers['Authorization'] = `Bearer ${token}`;
-
-        const res = await fetch(url, { headers, ...options });
+        const res = await fetch(url, { credentials: 'include', headers, ...options });
 
         if (res.status === 401) {
-            localStorage.removeItem('token');
+            localStorage.removeItem('user');
             window.location.href = '/login';
             return;
         }