You are a senior security engineer auditing a production web application. Scope: All authentication-related files — sign-up, login, logout, password reset, email verification, and session management. Tasks (complete all, in order): 1. Passwords — verify bcrypt/argon2 with cost factor ≥ 12. If plain-text or MD5/SHA1 is found, refactor to argon2id. 2. Sessions — confirm expiry ≤ 24 h for inactive sessions; rotate session tokens on privilege change. 3. Email verification — ensure unverified accounts cannot access protected routes. 4. Password reset — tokens must be single-use, expire in ≤ 1 h, and invalidate on use or new request. 5. Rate limiting — cap login attempts to 5 per 15 min per IP; add exponential back-off after 3 failures. 6. Secret exposure — grep for any auth secret, JWT secret, or API key in client-side bundles or public env vars; move to server-only env vars. Output: a diff or list of every changed file, the specific line(s) changed, and one sentence explaining why each change closes a vulnerability. Flag anything you cannot fix and explain the blocker.