Harden auth, headers, and container per OWASP review

- Add per-account lockout + IP rate limiter on local sign-in (A07)
- Emit CSP and security headers on every response (A05)
- Run container as non-root `app`, /data 0700 (A05/A02)
- Stop reflecting raw token-endpoint body into redirect URL (A09)
- Handle missing refresh_token in connect callback without a 500

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Core/Models/AppUser.cs

@@ -15,4 +15,17 @@ public class AppUser
 
     public DateTimeOffset CreatedAt  { get; set; } = DateTimeOffset.UtcNow;
     public DateTimeOffset? LastLogin { get; set; }
+
+    // ── Local-account brute-force lockout ───────────────────────────────────────
+    // Consecutive failed password attempts and, once the threshold is hit, the UTC
+    // instant the account unlocks again. Only meaningful for AuthProvider.Local.
+    // A per-account counter (not just an IP rate limiter) is the control that holds
+    // up here: forwarded headers are trusted from any source, so an attacker who can
+    // rotate X-Forwarded-For would evade IP-based throttling but not this.
+
+    /// <summary>Consecutive failed local-login attempts since the last success.</summary>
+    public int FailedLoginCount { get; set; }
+
+    /// <summary>UTC instant the account unlocks; null when not locked.</summary>
+    public DateTimeOffset? LockoutEndUtc { get; set; }
 }