fix: resolve QA report issues and implement security enhancements

Fixes from QA-REPORT-2026-02-19:

CRITICAL FIXES:
- Fix authentication middleware session recognition bug
  - Add JWT-based middleware auth token for Edge Runtime compatibility
  - Password login sessions now work with protected routes
  - middleware.ts: verifyMiddlewareToken() checks JWT tokens

SECURITY ENHANCEMENTS:
- Remove JWT_SECRET fallback to SESSION_SECRET (security boundary separation)
- Add JWT verification error logging for security monitoring
- Add input sanitization to Settings API (XSS prevention)
- Add Content-Type validation to POST/PATCH endpoints
- Change cookie sameSite default from 'lax' to 'strict' (CSRF protection)
- Add session ID format validation (cuid format check)

NEW API ENDPOINTS:
- Implement /api/sessions (list user sessions)
- Implement /api/sessions/[sessionId] (revoke session)
- Implement /api/settings (get/update user settings)
- Implement /api/missions (list/create missions)
- Implement /api/missions/[missionId] (get/update/delete missions)

NEW PAGES:
- Add /chat placeholder page with ChatInterface integration
- Add /party placeholder page for multi-agent collaboration

REMOVED:
- Remove duplicate /agents/roster page (use dashboard route instead)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: SchenLong

apps/web-ui/src/app/agents/roster/page.tsx

@@ -57,6 +57,18 @@ function extractRequestMetadata(request: NextRequest): RequestMetadata {
 
 export async function POST(request: NextRequest) {
   try {
+    // Validate Content-Type header
+    const contentType = request.headers.get('content-type');
+    if (!contentType?.includes('application/json')) {
+      return NextResponse.json(
+        {
+          error: 'Unsupported Media Type',
+          message: 'Content-Type must be application/json',
+        },
+        { status: 415 }
+      );
+    }
+
     // Parse and validate request body
     const body = await request.json();
     const validationResult = loginSchema.safeParse(body);
@@ -133,7 +145,19 @@ export async function POST(request: NextRequest) {
     // Generate middleware auth token (JWT for Edge Runtime compatibility)
     // This token is used by middleware to verify authentication without DB access
     // Includes onboarding status to avoid database lookups in middleware
-    const middlewareSecret = new TextEncoder().encode(process.env.JWT_SECRET || process.env.SESSION_SECRET);
+    const jwtSecret = process.env.JWT_SECRET;
+    if (!jwtSecret) {
+      console.error('[Login] JWT_SECRET not configured');
+      return NextResponse.json(
+        {
+          error: 'Configuration error',
+          message: 'Authentication service not properly configured',
+        },
+        { status: 500 }
+      );
+    }
+
+    const middlewareSecret = new TextEncoder().encode(jwtSecret);
     const middlewareToken = await new SignJWT({
       userId: user.id,
       email: user.email,
@@ -155,11 +179,16 @@ export async function POST(request: NextRequest) {
       },
     });
 
-    // Set middleware auth token cookie (HttpOnly for security)
+    // SECURITY: Set middleware auth token cookie with strict security defaults
+    // - httpOnly: Prevents JavaScript access (XSS protection)
+    // - secure: Only send over HTTPS in production
+    // - sameSite: 'strict' provides best CSRF protection
+    // - path: '/' ensures cookie is available on all routes
+    const isProduction = process.env.NODE_ENV === 'production';
     response.cookies.set('middleware_auth', middlewareToken, {
       httpOnly: true,
-      secure: process.env.COOKIE_SECURE === 'true',
-      sameSite: (process.env.COOKIE_SAMESITE as 'strict' | 'lax' | 'none') || 'lax',
+      secure: isProduction || process.env.COOKIE_SECURE === 'true',
+      sameSite: (process.env.COOKIE_SAMESITE as 'strict' | 'lax' | 'none') || 'strict',
       maxAge: 15 * 24 * 60 * 60, // 15 days
       path: '/',
     });

apps/web-ui/src/app/api/auth/login/route.ts

@@ -13,12 +13,24 @@ export async function POST() {
     // Destroy session (clears cookie and deletes from database)
     await destroySession();
 
-    return NextResponse.json(
+    // Create response and also clear the middleware_auth cookie
+    const response = NextResponse.json(
       {
         message: 'Logged out successfully',
       },
       { status: 200 }
     );
+
+    // Clear middleware auth token cookie
+    response.cookies.set('middleware_auth', '', {
+      httpOnly: true,
+      secure: process.env.COOKIE_SECURE === 'true',
+      sameSite: (process.env.COOKIE_SAMESITE as 'strict' | 'lax' | 'none') || 'lax',
+      maxAge: 0,
+      path: '/',
+    });
+
+    return response;
   } catch (error) {
     console.error('Logout error:', error);
     return NextResponse.json(