#19539: security: strengthen CSRF protection with SameSite cookies

## Summary - Enforce `SameSite=Strict` attribute on all `Set-Cookie` headers via response patching - Return structured JSON error response on CSRF rejection instead of plain text - Maintain existing Origin/Referer/Sec-Fetch-Site validation ## Security Impact Adds defense-in-depth against CSRF by ensuring cookies are never sent on cross-site requests, even if the Origin/Referer checks are somehow bypassed. ## Test plan - [x] Existing CSRF tests still pass (shouldRejectBrowserMutation) - [ ] Verify SameSite=Strict is appended to Set-Cookie headers - [ ] Verify JSON error response on CSRF rejection <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds `SameSite=Strict` to all cookies and converts CSRF rejection response from plain text to JSON. The `enforceSameSiteCookies` function monkey-patches the response's `setHeader` method to automatically append `SameSite=Strict` to any `Set-Cookie` headers that don't already have a `SameSite` attribute. This provides defense-in-depth against CSRF attacks by ensuring cookies are never sent on cross-site requests, complementing the existing Origin/Referer/Sec-Fetch-Site validation. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with minimal risk - The changes implement defense-in-depth security improvements without breaking existing functionality. The `SameSite=Strict` enforcement is backward-compatible (only adds the attribute if missing), and the JSON error response is a minor API improvement. The monkey-patching approach is localized to each request's response object and is a standard pattern for Express middleware. Existing tests for `shouldRejectBrowserMutation` still pass, validating that core CSRF logic remains intact. - No files require special attention _{Last reviewed commit: 8e471a5} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->