Aura multi_identity_saas harness

Permanent validation asset. Not a customer-facing app. See saas-harness/README.md.

Active toggles

ENABLE_BOLA_H_BUG = true
ENABLE_BOLA_V_BUG = true
ENABLE_ROLE_CLAIM_BUG = true
ENABLE_AUX_METADATA_LEAK = true
ENABLE_CLEAN_CONTROLS = true

Endpoints

GET /api/health
GET /api/me
GET /api/projects
GET /api/projects/:id (BOLA-h)
POST /api/projects/:id/archive (BOLA-v)
GET /api/documents/:id (BOLA-h)
GET /api/invoices/:id (clean control)
POST /api/admin/export (BOLA-v)
GET /api/debug (aux leak)
GET /api/sources (aux leak)