fix: v6 code review P0 auth/IDOR fixes + frontend regression patches

Backend fixes:
- auth_handler: P0 认证逻辑修复
- ratelimit: 限速中间件增强 + 新增单元测试
- auth_service: 认证服务逻辑完善 + 新增测试
- server: server 配置增强 + 新增测试
- handler_test: 新增 handler 层集成测试
- auth_bootstrap_test: bootstrap 路径测试

Frontend patches:
- LoginPage/RegisterPage: CSRF + 表单交互修复
- BootstrapAdminPage: 引导流程修复
- DevicesPage: 设备管理页修复
- auth/social-accounts/users/webhooks services: 类型修正
- csrf.ts: CSRF token 处理修正
- E2E 脚本: CDP smoke + auth e2e 增强

Docs:
- FULL_CODE_REVIEW_REPORT_2026-04-20
- report-v6 执行计划
- REAL_PROJECT_STATUS 更新
- .gitignore: 新增 .gocache-*/config.yaml 排除

验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL

docs/status/REAL_PROJECT_STATUS.md

@@ -1,5 +1,49 @@
 # REAL PROJECT STATUS
 
+## 2026-04-23 E2E Recovery Update
+
+### Latest Verification Snapshot
+
+| Command | Result | Note |
+|------|------|------|
+| `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/DevicesPage/DevicesPage.test.tsx` | `PASS` | cursor pagination no longer auto-advances and flood-loads `/admin/devices` |
+| `cd frontend/admin && npm.cmd run test:run -- src/services/webhooks.test.ts` | `PASS` | webhook list and deliveries decoding now matches backend envelopes |
+| `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/WebhooksPage/WebhooksPage.test.tsx` | `PASS` | webhook management page still works after service fix |
+| `cd frontend/admin && npm.cmd run test:run -- src/services/social-accounts.test.ts` | `PASS` | social accounts decoding now matches backend `accounts` payload |
+| `cd frontend/admin && npm.cmd run lint` | `PASS` | frontend lint is green after the recovery changes |
+| `cd frontend/admin && npm.cmd run build` | `PASS` | frontend production build is green after the recovery changes |
+| `cd frontend/admin && npm.cmd run e2e:full:win` | `PASS` | supported browser-level Playwright CDP E2E path re-ran green in the current workspace |
+
+### Current Honest Status
+
+- The supported browser-level real E2E command `cd frontend/admin && npm.cmd run e2e:full:win` is green again in the current workspace.
+- The re-verified scenarios now include:
+  - `admin-bootstrap`
+  - `public-registration`
+  - `email-activation`
+  - `login-surface`
+  - `auth-workflow`
+  - `responsive-login`
+  - `desktop-mobile-navigation`
+  - `user-management-crud`
+  - `role-management-crud`
+  - `device-management`
+  - `login-logs`
+  - `operation-logs`
+  - `webhook-management`
+  - `profile-and-security`
+  - `dashboard-stats`
+- The concrete defects fixed in this round were:
+  - `DevicesPage` cursor state was auto-chaining next-page fetches and could drive `/api/v1/admin/devices` into `429`.
+  - webhook frontend services were decoding `/webhooks` and `/webhooks/:id/deliveries` with the wrong response shape.
+  - social account frontend service was decoding `/users/me/social-accounts` with the wrong response shape.
+  - the Playwright CDP suite had multiple over-broad locators and stale route/title assumptions in the later admin scenarios.
+
+### Boundary
+
+- This update re-proves the supported browser-level E2E path only.
+- It does **not** by itself re-prove full backend `go test ./... -count=1`, real third-party OAuth live verification, or complete OS-level automation closure.
+
 ## 2026-04-10 复核更新（TDD修复后）
 
 本节记录 2026-04-10 TDD修复后的最新状态。