docs(http): Sanctum XSRF gotcha — closes queue #22 docs path

[Goosterhof]

Summary

Surface the fs-http × Laravel Sanctum SPA × withXSRFToken interaction explicitly on the docs site so future consumer adoptions don't repeat the entreezuil 419 cascade. Closes enforcement queue #22.

Commander disposition: docs-only path. Library default withXSRFToken: false stays as-is. No oxlint call-site rule. No source code changes. No version bump on fs-http.

Changes

• docs/packages/http.md — new ## Authentication & XSRF section, sibling-level to ## Timeout (both are surface-defaults discussions). Names Laravel Sanctum SPA explicitly, explains the cookie / X-XSRF-TOKEN header mechanics, calls out HTTP 419 as the failure mode by name, points out that mocked transports (per ADR-0017) hide it, and documents the stateless / token / non-Sanctum case as the inverse.
• docs/packages/http.md — API Reference table row for options.withXSRFToken expanded from the original one-line description with the Sanctum vs stateless guidance + an in-page cross-link to the new section.
• packages/http/README.md — one-line ### Authentication & XSRF pointer mirroring the Timeout pointer shape landed by Engineer PR docs(fs-http): surface Doctrine #8 timeout contract; collapse README duplication #68. README/docs duplication discipline preserved (docs page is source of truth).
• docs/architecture.md — not touched. The architecture doc has no auth surface (no mentions of withCredentials, XSRF, Sanctum, or csrf anywhere), so per scope D the cross-reference was skipped — don't invent a section just to add a link.

Verification

Local gates run, all green:

• npm run format:check — 133 files, all formatted.
• npm run lint — 0 warnings, 0 errors (oxlint, 95 rules).
• npm run docs:build — VitePress SSR completes in ~6s, no errors.
• Manual anchor verification — rendered HTML emits id="authentication-xsrf" matching the README pointer URL https://packages.script.nl/packages/http#authentication-xsrf. Custom warning block renders, code block has syntax highlighting.

Skipped: mutation, test:coverage, audit, lint:pkg (no source/manifest changes).

Test plan

• CI green on the 8-gate pipeline (audit / format / lint / build / typecheck / lint:pkg / coverage / mutation).
• Cloudflare Pages preview renders the new section under /packages/http#authentication-xsrf with custom-block warning styling intact.
• Reviewer confirms the README pointer URL matches the docs-site anchor (#authentication-xsrf slug, generated by VitePress from heading text).
• Reviewer confirms placement (sibling to ## Timeout, both expand on Configuration topics) reads naturally in the page outline.

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying fs-packages with    Cloudflare Pages

Latest commit:	2661e37
Status:	✅  Deploy successful!
Preview URL:	https://420842c5.fs-packages.pages.dev
Branch Preview URL:	https://armorer-queue-22-xsrf-sanctu.fs-packages.pages.dev

View logs