Pins the auth-core invariants: bcrypt password round-trip, wrong-password
→ bad_password (feeds lockout), unknown user → null (no enumeration);
sessions stored HASHED (sha256), never the raw token; the session
lifecycle (create/lookup/expire/rotate/invalidate/prune); and
rotateSessionId enforcing ownership + killing the old session.
Co-Authored-By: Claude Opus 4.8 <[email protected]>