v0.99.51: security hardening — bcrypt passwords, rate limiting, auth fixes, safe cache serialisation

- Migrate password hashing from SHA-256 to bcrypt with backward-compatible auto-upgrade on login
- Add login rate limiting (10 attempts / 5 min window, 10 min lockout) per IP+username
- Force password change when default admin/admin credentials are detected (C3)
- Fix /api/admin/* middleware to require valid admin session instead of unconditional bypass (C5)
- Replace pickle serialisation in all cache backends (Redis, SQLite, MySQL, File) with JSON-first encoding; legacy pickle data still readable (H9)
- Fix PayPal webhook: implement 6 previously empty handler stubs with real wallet credit/debit logic (H1)
- Fix Stripe: remove no-op _handle_payment_succeeded stub, fix real implementation to use WalletManager (C7)
- Fix crypto address derivation race condition via BEGIN EXCLUSIVE / SELECT FOR UPDATE (H6)
- Fix PayPal webhook verification: return False (not True) when webhook_id not configured (C6)
- Fix pre-existing password reset flow using non-existent DB methods
- Fix CORS: allow_credentials=False to be compatible with wildcard origins
- Fix session cookie flags: same_site=lax, https_only via AISBF_HTTPS env var
- Fix background task GC: hold strong references to prevent premature task collection
- Remove dead Jinja2 environment and commented-out analytics init code
- Apply XSS escaping to user-controlled innerHTML in analytics and autoselects dashboard templates
- Update docs: security warnings in README and DEBUG_GUIDE, missing endpoints in ENDPOINTS.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>