1. Security Flaw: Auth Endpoints Expose Tokens in JSON Response, Undermining httpOnly Cookie Protection
A significant security design flaw has been identified in the authentication system, where critical access and refresh tokens are being unnecessarily exposed in plain JSON responses. The registration and login endpoints (`src/api/routes/auth.py:103,155`) return these tokens in the response body via a `TokenResponse` mo...