Closes the four High findings from the 2026-05-19 security audit.

Summary

• H1 — WS chat.join / chat.send now route through asobi_chat_acl:authorized/2, the same predicate the HTTP history endpoint already uses. Without this, any authenticated player could silently join dm:<alice>:<bob> and eavesdrop on every DM between them.
• H2 — New asobi_body_cap_plugin rejects HTTP bodies > 1 MiB and chunked requests without content-length, before nova_request_plugin buffers them into the BEAM heap. Per-route caps (e.g. 256 KB on saves) still apply on top.
• H3 — asobi_world_lobby:list_worlds_cached/0,1 caches world.list results for 500 ms via an ETS table owned by asobi_world_lobby_server. Stops a 60 msg/sec WS flood from fanning out 60k synchronous get_info calls per second against running worlds. find_or_create_unsafe stays uncached.
• H4 — Bump nova to 0.14.3 and add explicit cowboy override so cowlib resolves to 2.16.1. rebar3 audit now reports 1 vuln (LOW) down from 3 (with a HIGH on cowlib 2.16.0). The remaining LOW is pending an upstream cowlib release.

Test plan

• rebar3 eunit — 274 tests, 0 failures (includes 11 new tests across asobi_chat_acl_tests, asobi_body_cap_plugin_tests, asobi_world_lobby_cache_tests)
• rebar3 fmt --check clean
• rebar3 xref clean
• rebar3 dialyzer clean
• elp eqwalize-all — 0 errors (down from 2 pre-existing in asobi_world_lobby_ws_SUITE, also fixed)
• elp lint — no new warnings
• rebar3 audit — 3 vulns → 1 (LOW) remaining
• CT suite (requires Docker Postgres; runs in CI)

What is NOT in this PR

The audit's 10 Medium and 6 Low findings are deferred to a follow-up. Mediums worth flagging:

• M1 (hash auth-cache key)
• M3 (player metadata size cap)
• M5 (put_storage size cap)
• M6 (TLS pinning on Steam/Apple/Google httpc)
• M4 ban-column story (decision needed: implement or remove)