Harden ocaml-auth: HMAC sessions, cookie parser, is_https, fuzz targets
Security fixes:
- Cookie parser splits on first = only (values containing = preserved)
- is_https checks "https://" not just "https" (rejects httpsomething.com)
- Session values HMAC-signed with cookie_secret via Csrf.sign_state
- Per-user session limit (max 10, oldest evicted on sign-in)
- delete_user_sessions for "sign out everywhere"
- purge_expired_sessions for periodic cleanup
- pp_user no longer leaks email at INFO level (prints user(<id>) only)
API changes:
- create_session/find_session now require ~secret for HMAC verification
- parse_cookie_value exposed for fuzzing
- session_config type split from config (linter refactor, kept)
New:
- fuzz/fuzz_auth.ml: crowbar fuzz targets for cookie parser and CSRF
sign/verify round-trip