feat: auth system hardening with token revocation, password management, and error sanitization

- Add token revocation with in-memory blacklist and periodic cleanup (SEC-M1)
- Add POST /api/auth/logout endpoint
- Fix OIDC auth_token cookie to HttpOnly with exchange endpoint (SEC-H3)
- Add password complexity validation (min 8 chars) (SEC-M2)
- Prevent admin self-deletion (SEC-M3)
- Add PUT /api/auth/users/{uid} for role/email updates (FUNC-M1)
- Add PUT /api/auth/users/{uid}/password for password changes (FUNC-H1)
- Sanitize error messages in auth handlers (SEC-M4)

internal/api/router.go

@@ -105,6 +105,7 @@ func (s *Server) Router() chi.Router {
 		r.Post("/auth/login", s.rateLimitedLogin(loginLimiter))
 		r.Get("/auth/oidc/login", s.oidcLogin)
 		r.Get("/auth/oidc/callback", s.oidcCallback)
+		r.Post("/auth/oidc/token", s.oidcExchangeToken)
 
 		// Webhook handler (uses its own secret-based auth).
 		r.Mount("/webhook", s.webhook.Route())
@@ -115,6 +116,7 @@ func (s *Server) Router() chi.Router {
 
 			// Read-only endpoints (any authenticated user).
 			r.Get("/auth/me", s.currentUser)
+			r.Post("/auth/logout", s.logout)
 			r.Get("/projects", s.listProjects)
 			r.Route("/projects/{id}", func(r chi.Router) {
 				r.Get("/", s.getProject)
@@ -145,6 +147,8 @@ func (s *Server) Router() chi.Router {
 				r.Put("/auth/settings", s.updateAuthSettings)
 				r.Get("/auth/users", s.listUsers)
 				r.Post("/auth/users", s.createUser)
+				r.Put("/auth/users/{uid}", s.updateUser)
+				r.Put("/auth/users/{uid}/password", s.changePassword)
 				r.Delete("/auth/users/{uid}", s.deleteUser)
 
 				// Project mutation endpoints.