added bookmark auth, CSP, per-session CSRF

- Bookmark endpoint now requires a secret token (stored in settings)
- Style reset moved from GET to POST with CSRF protection
- Open redirect prevention in _redirect() helper
- Import capped at 100 URLs to prevent abuse
- page_tags cleaned up on delete + PRAGMA foreign_keys enabled
- CSP, X-Frame-Options, X-Content-Type-Options on all responses
- CSRF tokens now per-session via double-submit cookie pattern
- Tag names URL-decoded for special characters
- Gateway forwards cookies in request data

gateway.py

@@ -75,11 +75,22 @@ class GatewayHandler(BaseHTTPRequestHandler):
             raw = self.rfile.read(length).decode()
             body = parse_qs(raw)
 
+        # Parse cookies
+        cookies = {}
+        cookie_header = self.headers.get("Cookie", "")
+        if cookie_header:
+            for part in cookie_header.split(";"):
+                part = part.strip()
+                if "=" in part:
+                    k, v = part.split("=", 1)
+                    cookies[k.strip()] = v.strip()
+
         request_data = {
             "method": method,
             "path": parsed.path,
             "query": query,
             "body": body,
+            "cookies": cookies,
             "gateway_host": self.headers.get("Host", f"localhost:{GATEWAY_PORT}"),
         }