fix: security hardening from CSO audit

- Add auth failure logging (login, API key, JWT) with IP/email/prefix
- Move OAuth JWT from URL params to short-lived cookies to prevent
  token leakage via browser history, server logs, and Referer headers
- Pin Swagger UI to v5.18.2 with SRI integrity hashes
- Upgrade Go toolchain to 1.25.8 (fixes 5 called stdlib vulns)
- Fix unchecked error in host agent credential refresh
- Add .gstack to .gitignore for security report artifacts

frontend/src/routes/auth/github/callback/+page.svelte

@@ -4,17 +4,37 @@
 	import { auth } from '$lib/auth.svelte';
 	import { teams } from '$lib/teams.svelte';
 
+	// Check for error in URL params (errors are still passed via query params).
 	const params = $page.url.searchParams;
 	const error = params.get('error');
 
+	function getCookie(name: string): string | null {
+		const match = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]*)`));
+		return match ? decodeURIComponent(match[1]) : null;
+	}
+
+	function clearOAuthCookies() {
+		for (const name of [
+			'wrenn_oauth_token',
+			'wrenn_oauth_user_id',
+			'wrenn_oauth_team_id',
+			'wrenn_oauth_email',
+			'wrenn_oauth_name'
+		]) {
+			document.cookie = `${name}=; path=/auth/; max-age=0`;
+		}
+	}
+
 	if (error) {
 		goto(`/login?error=${encodeURIComponent(error)}`);
 	} else {
-		const token = params.get('token');
-		const userId = params.get('user_id');
-		const teamId = params.get('team_id');
-		const email = params.get('email');
-		const name = params.get('name') ?? '';
+		const token = getCookie('wrenn_oauth_token');
+		const userId = getCookie('wrenn_oauth_user_id');
+		const teamId = getCookie('wrenn_oauth_team_id');
+		const email = getCookie('wrenn_oauth_email');
+		const name = getCookie('wrenn_oauth_name') ?? '';
+
+		clearOAuthCookies();
 
 		if (token && userId && teamId && email) {
 			teams.reset();