Secure cookie flags + CSRF for our own POST forms (todo §4); SECURE_COOKIES toggle on session/CSRF cookies; csrf.ts signed double-submit token + body.ts form reader; logout is now a CSRF-guarded POST form

public/css/styles.css

@@ -498,6 +498,7 @@ span.nav-self { cursor: default; }                 /* static / non-clickable */
   color: var(--text); background: transparent; border: 0; cursor: pointer;
   text-align: left;
 }
+.menu-item-form { display: contents; } /* form wraps the Sign-out button without changing layout */
 .menu-item:hover { background: var(--surface-2); }
 .menu-item.danger { color: var(--neg); }
 .menu-item .ico { color: var(--text-faint); }