audit-fixes: 3rd-pass LOW/INFO sweep (CSS injection, Origin RFC, next charset, env doc, session clear)

Cobb requested all the small ones land before LAN testing.

discover.html CVE-NEW3-2 (LOW): switched recipe card image from a CSS
background-image:url('${_esc(url)}') to a plain <img class="img" src=...>
element. Recipe image_url is scraped from JSON-LD on third-party pages —
a malicious page could return an image_url crafted to close the CSS
url(...) string and inject layout-breaking CSS. With <img src=...> the
URL stays in HTML-attribute context end-to-end where _esc is sufficient.
Also adds defense-in-depth: validate URL parses as http(s) before
rendering, fall through to placeholder otherwise, and set
referrerpolicy=no-referrer so we don't leak our path to image hosts.
CSS for .dcard .img widened with object-fit:cover so img and div both
center/cover correctly.

server.py CVE-NEW3-3 (LOW): _origin_of() now lowercases scheme AND
host (urlparse only does scheme), and drops scheme-default ports
(:80/:443) so `https://x.com:443` matches `https://x.com`. Closes a
false-reject path on browsers that preserve case in Origin headers,
or non-canonical CAULDRON_BASE_URL values. Not a bypass — false-reject
robustness only — but cheap to fix and operationally important.

server.py CODE3-3 (LOW): _safe_next() now allows `%` in the path
charset so percent-encoded paths (e.g. /recipes/spaghetti%20bol)
don't silently land at /me. Defense-in-depth: also percent-decode
the path and reject if the decoded form contains `..` traversal or
`//` (encoded forms of the same patterns the front-of-function
reject already).

server.py INFO3-2: auth_callback now does session.clear() before
setting session["user"]. Capture+revalidate `next` BEFORE the clear
so we don't drop our own redirect target. Drops every pre-auth key
on login — defense-in-depth against session-state contamination if
anything else ever lands in pre-auth session.

.env.example INFO3-1: added CAULDRON_ADMIN_SUBS, CAULDRON_BASE_URL,
CAULDRON_BEHIND_TLS, CAULDRON_TRUSTED_PROXIES with comments
explaining what each one gates. Defaults are the safe-LAN set.

Holding for public deploy — Cobb running LAN tests for a few days.

INFO3-3 (rate limit) intentionally NOT addressed in code: the audit
notes this as architecturally a proxy-layer concern (rackham vhost),
not in-process. Rolled into the public-deploy commit when the vhost
work lands.

INFO3-4 (security primitive test coverage) deferred — separate test-
sweep PR, doesn't block deploy.

.env.example

@@ -38,3 +38,27 @@ DB_PASSWORD=
 # Fernet master key for at-rest encryption of per-user Mealie tokens.
 # Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
 CAULDRON_FERNET_KEY=
+
+# --- Public-deploy hardening (added 2026-05-02 CVE audit) ---
+# Comma-separated list of authentik subjects who get the operator-tier
+# /me admin tools panel (consolidate, discover scrape). Empty = nobody.
+# Cobb's authentik sub goes here for production.
+CAULDRON_ADMIN_SUBS=
+
+# External base URL where cauldron is reachable. Set to your public host
+# (e.g. https://cauldron.sulkta.com) when going public; leave empty for
+# LAN-only HTTP. When set: enables CSRF Origin guard, HSTS, secure cookie.
+CAULDRON_BASE_URL=
+
+# Whether the deploy is fronted by TLS (rackham apache → cauldron over
+# OpenVPN). Independent toggle from base_url so dev/staging can override.
+# When true: SESSION_COOKIE_SECURE=True, HSTS header emitted.
+CAULDRON_BEHIND_TLS=false
+
+# Comma-separated CIDR list of trusted proxies whose X-Forwarded-* we
+# honor. Empty = trust nothing → ProxyFix is OFF and X-Forwarded-* are
+# stripped from every request. For the rackham→OpenVPN→lucy:7790 deploy,
+# set this to rackham's WireGuard-internal IP (e.g. 10.20.30.1/32). Any
+# X-Forwarded-* from a peer outside this list gets dropped before
+# ProxyFix sees it.
+CAULDRON_TRUSTED_PROXIES=