Security hardening.
- allowed_origins + check_origin() defend against cross-site WebSocket hijacking (CWE-1385)
- on_connect authentication hook invoked before a connection is tracked (CWE-306)
- max_connections defaults to 10,000 (CWE-770)
- max_message_bytes + receive helpers reject oversized frames (CWE-770)
- room_validator enforced for connect(rooms=...) (CWE-862)
- require_room forbids global broadcasts (CWE-200)
- Security-relevant events logged (CWE-778)