## Description ### Implement the complete authentication and security architecture for ResumeAgent based on the documented design. ### The system must be stateless, JWT-based, cookie-secured, and defensive by default, with full auditability and admin control. ### This epic tracks all backend work required to deliver a production-grade authentication system. --- ## Checklist ### Authentication & Tokens - [ ] JWT access token generation and validation - [ ] Refresh token rotation and reuse detection - [ ] Secure cookie handling ### User Security - [ ] Login and logout flows - [ ] Email verification enforcement - [ ] Password reset workflow - [ ] Password history enforcement ### Authorization - [ ] Role-based authorization (USER / ADMIN) - [ ] Admin-only endpoint protection ### Platform Protection - [ ] CSRF protection - [ ] Rate limiting - [ ] HTTPS enforcement - [ ] Security headers ### Auditing & Monitoring - [ ] Authentication event logging - [ ] Admin action auditing ---
