Capture the hardening patterns from the solmade audit so future Five work
reuses them: authorize on resolved function name (not URL path), CSPRNG
session tokens stored as hashes, argon2id with legacy-verify + upgrade,
login rate-limit + timing-safe dummy hash, bluemonday HTML sanitize vs
EscHtml, security headers + nonce CSP, upload allowlist (no SVG), bind-all
SQL. Theme: thin Go RTL over an ecosystem crypto lib. INDEX/README updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
