Merge fix/security-audit: RBAC/API-key-hash/cookie hardening

app/schemas/schemas.py

@@ -105,7 +105,9 @@ class CommentBase(BaseModel):
 
 class CommentCreate(CommentBase):
     task_id: int
-    author_id: int
+    # author_id is NOT accepted from the client — the comment is always
+    # attributed to the authenticated caller (server-side) to prevent
+    # author spoofing.
 
 
 class CommentUpdate(BaseModel):