fix: login page browser warnings and password manager support

- Make COOP header conditional on development mode to suppress HTTP warnings
- Add autocomplete attributes to all email/password inputs for password manager compatibility
- Add comprehensive tests for COOP conditional behavior
- Update security documentation for COOP, HTTPS requirements, and autocomplete

Fixes browser console warnings and improves UX by enabling password managers.
All quality gates passed: 85.7% backend coverage, 86.46% frontend coverage,
zero security issues, all pre-commit hooks passed.

Changes:
- Backend: backend/internal/api/middleware/security.go
- Frontend: Login, Setup, Account, AcceptInvite, SMTPSettings pages
- Tests: Added 4 new test cases (2 backend, 2 frontend)
- Docs: Updated security.md, getting-started.md, README.md

frontend/src/pages/__tests__/Setup.test.tsx

@@ -147,4 +147,20 @@ describe('Setup Page', () => {
       expect(screen.getByText('Setup failed')).toBeTruthy();
     });
   });
+
+  it('has proper autocomplete attributes for password managers', async () => {
+    vi.mocked(setupApi.getSetupStatus).mockResolvedValue({ setupRequired: true });
+
+    renderWithProviders(<Setup />);
+
+    await waitFor(() => {
+      expect(screen.getByText('Welcome to Charon')).toBeTruthy();
+    });
+
+    const emailInput = screen.getByLabelText('Email Address')
+    const passwordInput = screen.getByLabelText('Password')
+
+    expect(emailInput).toHaveAttribute('autocomplete', 'email')
+    expect(passwordInput).toHaveAttribute('autocomplete', 'new-password')
+  });
 });