Security by design

JFS identity verification, per-FID rate limiting, server-side link resolution, CSP headers. Links are never accepted from the client. Copy these patterns.