{"mode":"stateless-hmac","note":"No server-side session store. Tokens are HMAC-signed cookies/hidden fields.","secret":"env"}