SECURITY ALERT: Critical XSS Vulnerability in JWT Token Storage (SEC-03)

A critical security vulnerability (SEC-03) has been identified, exposing user accounts to complete takeover via cross-site scripting (XSS) attacks. The flaw resides in the current authentication system, which stores JWT tokens in the browser's `localStorage`. This method is fundamentally insecure, as any successful XSS attack on the web application can directly access and exfiltrate these tokens, granting attackers full control over user sessions.

The vulnerability is classified as Priority Zero (P0) and is located in the `apps/web/lib/auth.ts` file (lines 81-98). It directly maps to OWASP Top 10 categories A03 (Injection, specifically XSS) and A07 (Identification and Authentication Failures). The impact is severe: any user's account is at risk of being compromised if an XSS vector is exploited, as the authentication token is readily available to client-side scripts.

The mandated solution is a complete architectural shift from client-side token storage to a server-managed, HttpOnly cookie-based authentication system. This requires coordinated backend and frontend changes. The API must be modified to set secure, HttpOnly cookies upon login instead of returning tokens in the response body. These cookies must be configured with `HttpOnly: true` to block JavaScript access, `Secure: true` for HTTPS-only transmission, and `SameSite: 'Strict'` for CSRF protection. Corresponding frontend logic must be updated to rely on these cookies, and CORS policies must be adjusted to allow credential transmission.