// Package auth implements the authentication and session-management layer for the Xtablo
// Go+HTMX rewrite. It consolidates all security-sensitive primitives in one place:
//
//   - Password hashing and verification (argon2id, PHC format) — password.go
//   - Session token generation, storage, lookup, rotation, and extension — session.go
//   - Per-key in-memory rate limiting for login attempts — ratelimit.go
//   - HTTP cookie helpers (set, clear) — cookie.go
//   - CSRF field rendering via gorilla/csrf — csrf.go
//
// Package layout decision (RESEARCH Open Question 3, resolved): all capabilities
// are consolidated here rather than split across internal/auth + internal/session.
// The Phase 1 internal/session placeholder (internal/session/doc.go) is kept as a
// one-line comment pointing here, preserving the file for git history.
//
// Constants, types, and sentinel errors exported from this package are the
// contracts consumed by Plans 02–07 in Phase 2.
package auth