## Objective Fix the five security findings from the codebase audit. ## Findings addressed - SEC-001 HIGH: All GET /api/* endpoints bypass JWT, add authentication enforcement on GET routes - SEC-002 HIGH: No request body size limit on AI endpoints, add a maximum payload size - SEC-003 HIGH: Gemini API key sent as URL query param and appears in logs, move it to a header or request body - SEC-004 MEDIUM: No rate limiting on AI endpoints, add basic rate limiting - SEC-005 LOW: Path traversal in playbook file path, sanitise and validate the path ## Acceptance criteria - [ ] GET /api/* endpoints require valid JWT - [ ] AI endpoints reject oversized bodies - [ ] Gemini key no longer appears in any URL or log - [ ] Rate limiting active on AI endpoints - [ ] Playbook path traversal blocked - [ ] CI passes, base branch dev ## Category Security