feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review:

1. extend-csrf-protection
   - Add POST to CSRF protected methods in frontend
   - Global CSRF middleware for all state-changing operations
   - Update tests with CSRF token fixtures

2. tighten-cors-websocket-security
   - Replace wildcard CORS with explicit method/header lists
   - Disable query parameter auth in production (code 4002)
   - Add per-user WebSocket connection limit (max 5, code 4005)

3. shorten-jwt-expiry
   - Reduce JWT expiry from 7 days to 60 minutes
   - Add refresh token support with 7-day expiry
   - Implement token rotation on refresh
   - Frontend auto-refresh when token near expiry (<5 min)

4. fix-frontend-quality
   - Add React.lazy() code splitting for all pages
   - Fix useCallback dependency arrays (Dashboard, Comments)
   - Add localStorage data validation in AuthContext
   - Complete i18n for AttachmentUpload component

5. enhance-backend-validation
   - Add SecurityAuditMiddleware for access denied logging
   - Add ErrorSanitizerMiddleware for production error messages
   - Protect /health/detailed with admin authentication
   - Add input length validation (comment 5000, desc 10000)

All 521 backend tests passing. Frontend builds successfully.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/tests/test_backend_reliability.py

@@ -128,7 +128,7 @@ class TestRedisFailover:
 class TestBlockerDeletionCheck:
     """Test blocker check before task deletion."""
 
-    def test_delete_task_with_blockers_warning(self, client, admin_token, db):
+    def test_delete_task_with_blockers_warning(self, client, admin_token, csrf_token, db):
         """Test that deleting task with blockers shows warning."""
         from app.models import Space, Project, Task, TaskStatus, TaskDependency
 
@@ -174,7 +174,7 @@ class TestBlockerDeletionCheck:
         # Try to delete without force
         response = client.delete(
             "/api/tasks/blocker-task",
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
         )
 
         # Should return warning or require confirmation
@@ -185,7 +185,7 @@ class TestBlockerDeletionCheck:
             if "warning" in data or "blocker_count" in data:
                 assert data.get("blocker_count", 0) >= 1 or "blocker" in str(data).lower()
 
-    def test_force_delete_resolves_blockers(self, client, admin_token, db):
+    def test_force_delete_resolves_blockers(self, client, admin_token, csrf_token, db):
         """Test that force delete resolves blockers."""
         from app.models import Space, Project, Task, TaskStatus, TaskDependency
 
@@ -231,7 +231,7 @@ class TestBlockerDeletionCheck:
         # Force delete
         response = client.delete(
             "/api/tasks/force-del-task?force_delete=true",
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
         )
 
         assert response.status_code == 200
@@ -240,7 +240,7 @@ class TestBlockerDeletionCheck:
         db.refresh(task_to_delete)
         assert task_to_delete.is_deleted is True
 
-    def test_delete_task_without_blockers(self, client, admin_token, db):
+    def test_delete_task_without_blockers(self, client, admin_token, csrf_token, db):
         """Test deleting task without blockers succeeds normally."""
         from app.models import Space, Project, Task, TaskStatus
 
@@ -267,7 +267,7 @@ class TestBlockerDeletionCheck:
         # Delete should succeed without warning
         response = client.delete(
             "/api/tasks/no-blocker-task",
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
         )
 
         assert response.status_code == 200