Add Auth & Portal Drift Guardrails - forbidden APIv1/Pterodactyl/CSRF/cookie patterns, enforce Portal→JWT→APIv2 flow

ANTI_DRIFT.md

@@ -43,3 +43,16 @@ If drift is detected:
 1. Revert the change
 2. Document why it was tempting
 3. Re-apply only what serves usability
+
+## Auth & Portal Drift Guardrails
+
+The following are explicitly disallowed:
+
+- Reintroducing APIv1 endpoints
+- Reintroducing Pterodactyl-based auth
+- CSRF token logic
+- Cookie-based authentication
+- Server-side portal sessions
+
+All auth must flow:
+Portal → JWT → APIv2