fix(security): RBAC on legacy create endpoints, hashed API keys, hardening

Addresses findings from the security audit:
- H1: add check_project_role to the legacy misc.py create endpoints
  (milestones=mgr, tasks/supports/meetings=dev) that previously required
  only authentication — closing a cross-project write bypass available to
  any logged-in user or agent API key.
- M2: comments are always attributed to the authenticated caller; the
  client-supplied author_id is dropped (no author spoofing).
- M3: API keys are stored as SHA-256 hashes (key_hash) plus a short
  key_prefix for display — never plaintext. Lookup hashes the presented
  key; listings never expose the secret. Includes an idempotent migration
  for existing deployments.
- M5: the OIDC session cookie's Secure flag is env-driven via
  SESSION_COOKIE_SECURE (default True; set false for plain-HTTP dev).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/api/routers/comments.py

@@ -32,8 +32,12 @@ def create_comment(comment: schemas.CommentCreate, db: Session = Depends(get_db)
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
     check_project_role(db, current_user.id, task.project_id, min_role="viewer")
-    
-    db_comment = models.Comment(**comment.model_dump())
+
+    # Always attribute the comment to the authenticated caller — never trust
+    # a client-supplied author_id (prevents author spoofing).
+    data = comment.model_dump()
+    data.pop("author_id", None)
+    db_comment = models.Comment(**data, author_id=current_user.id)
     db.add(db_comment)
     db.commit()
     db.refresh(db_comment)