Security Wave 0: Honest defaults & honest docs

[jrosskopf]

Part of #21.

Goal: stop documentation from claiming security properties that don't hold, and warn loudly at startup when config is unsafe. No breaking config changes.

Tasks

• W0.1 — Fix misleading SQL-injection docs. docs/CONFIG_REFERENCE.md:1365 and CLAUDE.md claim triple-brace {{{ }}} "prevents SQL injection". It does not — it only disables HTML escaping. The actual defenses are RequestValidator + careful template authoring. Rewrite this section to document the real threat model honestly.
• W0.2 — Startup safety warnings in src/main.cpp / src/config_manager.cpp:
  • Plaintext password detected in auth.users[*].password
  • MD5 password detected (deprecated)
  • Any endpoint has mcp-tool: AND auth.required: false AND server bound to non-loopback
  • CORS wildcard active AND any endpoint has auth.required: true (credential-bearing cross-origin requests)
• W0.3 — Redact secrets in logs. jwt_secret, connection password, and AWS credentials currently leak at DEBUG level (src/auth_middleware.cpp:68, src/config_manager.cpp). Add a LogRedactor helper used by config dump + error paths; cover JWT secrets in verification logging too.

Critical files

docs/CONFIG_REFERENCE.md, CLAUDE.md, src/main.cpp, src/config_manager.cpp, src/auth_middleware.cpp.

Verify

Unit test that startup-warning function fires for known-bad configs; grep DEBUG-level logs after a debug run to confirm no secret values appear.