fix(security): RBAC on legacy create endpoints, hashed API keys, hardening

Addresses findings from the security audit:
- H1: add check_project_role to the legacy misc.py create endpoints
  (milestones=mgr, tasks/supports/meetings=dev) that previously required
  only authentication — closing a cross-project write bypass available to
  any logged-in user or agent API key.
- M2: comments are always attributed to the authenticated caller; the
  client-supplied author_id is dropped (no author spoofing).
- M3: API keys are stored as SHA-256 hashes (key_hash) plus a short
  key_prefix for display — never plaintext. Lookup hashes the presented
  key; listings never expose the secret. Includes an idempotent migration
  for existing deployments.
- M5: the OIDC session cookie's Secure flag is env-driven via
  SESSION_COOKIE_SECURE (default True; set false for plain-HTTP dev).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/api/routers/users.py

@@ -7,7 +7,7 @@ from pydantic import BaseModel
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session
 
-from app.api.deps import get_current_user, get_current_user_or_apikey, get_password_hash
+from app.api.deps import get_current_user, get_current_user_or_apikey, get_password_hash, hash_api_key
 from app.core.config import get_db, settings
 from app.init_bootstrap import DELETED_USER_USERNAME
 from app.models import models
@@ -464,9 +464,10 @@ def reset_user_apikey(
         existing_key.is_active = False
         db.flush()
 
-    # Create new key
+    # Create new key (store only the hash + a display prefix)
     new_key = APIKey(
-        key=new_key_value,
+        key_hash=hash_api_key(new_key_value),
+        key_prefix=new_key_value[:8],
         name=f"{target_user.username}-key",
         user_id=target_user.id,
         is_active=True,