Fix open-redirect token leak and related auth hardening

Security review fixes:
- Constrain OAuth connect returnUrl to a site-relative path so the
  redeemable token_key can't be redirected off-domain (was a refresh-
  token leak / connection hijack)
- Route all login redirects (entra/dev/local) through ToLocalReturnUrl,
  also closing a protocol-relative // open redirect in local-login
- Neutralize CSV formula prefixes in both audit-log exporters via
  CsvSanitizer
- Force Secure flag on the prod auth cookie (Always, not SameAsRequest)
- Gate admin pages with an app_role-claim "Admin" policy instead of a
  render-time check

Findings and rationale recorded in SECURITY-TODO.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Infrastructure/OAuth/OAuthEndpoints.cs

@@ -4,6 +4,7 @@ using System.Text.Json;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Options;
 using SharepointToolbox.Web.Core.Config;
+using SharepointToolbox.Web.Core.Helpers;
 using SharepointToolbox.Web.Core.Models;
 using SharepointToolbox.Web.Infrastructure.Persistence;
 using SharepointToolbox.Web.Services.Auth;
@@ -51,7 +52,10 @@ public static class OAuthEndpoints
                     TenantId     = profile.TenantId,
                     ClientId     = profile.ClientId,
                     SpHost       = ExtractHost(profile.TenantUrl),
-                    ReturnUrl    = string.IsNullOrEmpty(returnUrl) ? "/" : returnUrl,
+                    // Constrain to a site-relative path: the callback appends the redeemable
+                    // token_key to this URL, so an external returnUrl would leak the client's
+                    // SharePoint refresh token off-domain.
+                    ReturnUrl    = returnUrl.ToLocalReturnUrl(),
                     IsRegistration = false,
                 });