Add API streaming session boundary checks

[malb200710-dev]

Closes #423

Summary

• Extends api-security from REST/GraphQL-only wording to include WebSocket and Server-Sent Events review surfaces.
• Adds streaming session-boundary evidence requirements: browser exposure, credential type, Origin policy, per-message/per-subscription authorization, revocation behavior, SSE cache/log controls, and resource limits.
• Updates the detailed OWASP API checklist for API1/API4/API8/API9 streaming edge cases.
• Adds a focused fixture covering vulnerable cookie-authenticated WebSocket, vulnerable SSE query-token handling, and benign public read-only WebSocket behavior.

Validation

• Markdown fence balance check passed for touched files.
• ASCII scan passed for touched files.
• Confirmed the new guidance includes WebSocket/SSE, Origin, per-message/per-subscription authorization, SSE cache/log controls, and streaming inventory/resource-limit checks.
• Checked open PR titles for API streaming/WebSocket/SSE overlap before starting; no existing focused [REVIEW] api-security: add WebSocket and SSE session-boundary evidence #423 implementation was visible.

Bounty

I have read and agree to the CONTRIBUTING.md bounty terms. Preferred payment details can be provided privately after maintainer acceptance.