feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review:

1. extend-csrf-protection
   - Add POST to CSRF protected methods in frontend
   - Global CSRF middleware for all state-changing operations
   - Update tests with CSRF token fixtures

2. tighten-cors-websocket-security
   - Replace wildcard CORS with explicit method/header lists
   - Disable query parameter auth in production (code 4002)
   - Add per-user WebSocket connection limit (max 5, code 4005)

3. shorten-jwt-expiry
   - Reduce JWT expiry from 7 days to 60 minutes
   - Add refresh token support with 7-day expiry
   - Implement token rotation on refresh
   - Frontend auto-refresh when token near expiry (<5 min)

4. fix-frontend-quality
   - Add React.lazy() code splitting for all pages
   - Fix useCallback dependency arrays (Dashboard, Comments)
   - Add localStorage data validation in AuthContext
   - Complete i18n for AttachmentUpload component

5. enhance-backend-validation
   - Add SecurityAuditMiddleware for access denied logging
   - Add ErrorSanitizerMiddleware for production error messages
   - Protect /health/detailed with admin authentication
   - Add input length validation (comment 5000, desc 10000)

All 521 backend tests passing. Frontend builds successfully.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/tests/test_encryption.py

@@ -312,6 +312,13 @@ class TestConfidentialProjectUpload:
         mock_redis.setex(f"session:{test_user.id}", 900, token)
         return token
 
+    @pytest.fixture
+    def test_user_csrf_token(self, test_user):
+        """Generate a CSRF token for the test user."""
+        from app.core.security import generate_csrf_token
+
+        return generate_csrf_token(test_user.id)
+
     @pytest.fixture
     def test_space(self, db, test_user):
         """Create a test space."""
@@ -364,7 +371,7 @@ class TestConfidentialProjectUpload:
         return task
 
     def test_upload_confidential_project_encryption_unavailable(
-        self, client, test_user_token, test_task, db
+        self, client, test_user_token, test_user_csrf_token, test_task, db
     ):
         """Test that uploading to confidential project returns 400 when encryption is unavailable."""
         from io import BytesIO
@@ -378,7 +385,7 @@ class TestConfidentialProjectUpload:
 
             response = client.post(
                 f"/api/tasks/{test_task.id}/attachments",
-                headers={"Authorization": f"Bearer {test_user_token}"},
+                headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
                 files=files,
             )
 
@@ -387,7 +394,7 @@ class TestConfidentialProjectUpload:
             assert "environment variable" in response.json()["detail"]
 
     def test_upload_confidential_project_no_active_key(
-        self, client, test_user_token, test_task, db
+        self, client, test_user_token, test_user_csrf_token, test_task, db
     ):
         """Test that uploading to confidential project returns 400 when no active encryption key exists."""
         from io import BytesIO
@@ -408,7 +415,7 @@ class TestConfidentialProjectUpload:
 
             response = client.post(
                 f"/api/tasks/{test_task.id}/attachments",
-                headers={"Authorization": f"Bearer {test_user_token}"},
+                headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
                 files=files,
             )