fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation

- Remove unreachable `&& !xsrfToken` condition from `handleFetch` guard;
  simplify the redundant `cookieParts.length > 0` check that follows it
- Add `TOO_MANY_LOGIN_ATTEMPTS` to both Error Handling sections in CLAUDE.md
  (backend and frontend) so LLMs are aware of the code without looking it up
- Add reverse-proxy IP trust and IPv6 address-cycling caveats to ADR-022
  Consequences section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/hooks.server.ts

@@ -131,14 +131,13 @@ export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {
 	if (sessionId) cookieParts.push(`fa_session=${sessionId}`);
 	if (xsrfToken) cookieParts.push(`XSRF-TOKEN=${xsrfToken}`);
 
-	if (cookieParts.length === 0 && !xsrfToken) {
+	if (cookieParts.length === 0) {
 		return fetch(request);
 	}
 
 	// Clone first so the body stream is preserved on the new Request.
 	const cloned = request.clone();
-	const extraHeaders: Record<string, string> = {};
-	if (cookieParts.length > 0) extraHeaders['Cookie'] = cookieParts.join('; ');
+	const extraHeaders: Record<string, string> = { Cookie: cookieParts.join('; ') };
 	if (xsrfToken) extraHeaders['X-XSRF-TOKEN'] = xsrfToken;
 
 	const modified = new Request(cloned, {