Remediates the two web-console residuals from the 2026-07-05 posture audit:
- Brute-force throttle (loginThrottle.ts): per-IP exponential backoff
after 5 free attempts, plus a global floor for spread-out floods, keyed
on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped
map. The constant-time compare already stopped the timing leak; this
bounds guess *volume* against a by-design LAN-exposed console.
- Session seal key now derives from the high-entropy mgmt token instead of
the low-entropy login password, so a captured cookie is no longer an
offline password oracle. Falls back to the password only when no token
is configured (dev/local). Rotating the token now invalidates sessions.
- Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request
Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now
verifies normally. Dropped the env var from the systemd unit, Steam Deck
installer, Windows run scripts, env examples, and web README.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>