fix(web): set Referrer-Policy on auth and recovery routes

[sergey3bv]

Summary

• Send Referrer-Policy: no-referrer from the unified server for password altering paths;
• Mirror same logic in hooks.server.ts for local dev parity;
• Add <meta name="referrer" content="no-referrer"> on related pages for tighter policy;
• Document routes and rationale in docs/SECURITY.md.

Avoid naming corporate partners, customers, or other sensitive external brands in this PR title or body. Use generic descriptors unless a maintainer explicitly approves the public reference.

Motivation

• A follow-up for feat(auth): include email in password-reset URL for password-manager pairing #92

Related Issue

• Closes fix(auth): make auth/reset page referrer policy explicit for email hints #139

Testing

• cargo test --workspace --verbose
• cargo clippy --workspace --all-targets --all-features -- -D warnings -A deprecated
• cargo fmt --all -- --check
• Manual verification completed

Visuals

• UI/web change with screenshots/video attached
• No visual change
• Visuals and text avoid sensitive external brand or partner names unless explicitly approved