All endpoints unauthenticated with CSRF disabled - unauthenticated Salesforce restore

Found via code audit. config/SecurityConfig.java:31-38. anyRequest().permitAll() + csrf().disable(). /api/restore writes to Salesforce. /api/download-url generates presigned S3 URLs. Zero auth.