Handle POST /api/auth/dev-login with { email }. FAIL-CLOSED: 404 unless armed (checked before reading input);
400 for a missing/invalid email; else mint a real session for that email and return the sign-in Response (Set-Cookie).
Never throws on a hostile request.
Handle
POST /api/auth/dev-loginwith{ email }. FAIL-CLOSED: 404 unlessarmed(checked before reading input); 400 for a missing/invalid email; else mint a real session for that email and return the sign-in Response (Set-Cookie). Never throws on a hostile request.