feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review:

1. extend-csrf-protection
   - Add POST to CSRF protected methods in frontend
   - Global CSRF middleware for all state-changing operations
   - Update tests with CSRF token fixtures

2. tighten-cors-websocket-security
   - Replace wildcard CORS with explicit method/header lists
   - Disable query parameter auth in production (code 4002)
   - Add per-user WebSocket connection limit (max 5, code 4005)

3. shorten-jwt-expiry
   - Reduce JWT expiry from 7 days to 60 minutes
   - Add refresh token support with 7-day expiry
   - Implement token rotation on refresh
   - Frontend auto-refresh when token near expiry (<5 min)

4. fix-frontend-quality
   - Add React.lazy() code splitting for all pages
   - Fix useCallback dependency arrays (Dashboard, Comments)
   - Add localStorage data validation in AuthContext
   - Complete i18n for AttachmentUpload component

5. enhance-backend-validation
   - Add SecurityAuditMiddleware for access denied logging
   - Add ErrorSanitizerMiddleware for production error messages
   - Protect /health/detailed with admin authentication
   - Add input length validation (comment 5000, desc 10000)

All 521 backend tests passing. Frontend builds successfully.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/tests/test_triggers.py

@@ -43,6 +43,22 @@ def test_user_token(client, mock_redis, test_user):
     return token
 
 
+@pytest.fixture
+def test_user_csrf_token(test_user):
+    """Generate a CSRF token for the test user."""
+    from app.core.security import generate_csrf_token
+    return generate_csrf_token(test_user.id)
+
+
+@pytest.fixture
+def test_user_auth_headers(test_user_token, test_user_csrf_token):
+    """Get complete auth headers for test user."""
+    return {
+        "Authorization": f"Bearer {test_user_token}",
+        "X-CSRF-Token": test_user_csrf_token,
+    }
+
+
 @pytest.fixture
 def test_space(db, test_user):
     """Create a test space."""
@@ -513,11 +529,11 @@ class TestTriggerNotifications:
 class TestTriggerAPI:
     """Tests for Trigger API endpoints."""
 
-    def test_create_trigger(self, client, test_user_token, test_project, test_status):
+    def test_create_trigger(self, client, test_user_auth_headers, test_project, test_status):
         """Test creating a trigger."""
         response = client.post(
             f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers=test_user_auth_headers,
             json={
                 "name": "New Trigger",
                 "description": "Test trigger",
@@ -563,11 +579,11 @@ class TestTriggerAPI:
         assert data["id"] == test_trigger.id
         assert data["name"] == test_trigger.name
 
-    def test_update_trigger(self, client, test_user_token, test_trigger):
+    def test_update_trigger(self, client, test_user_auth_headers, test_trigger):
         """Test updating a trigger."""
         response = client.put(
             f"/api/triggers/{test_trigger.id}",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers=test_user_auth_headers,
             json={
                 "name": "Updated Trigger",
                 "is_active": False,
@@ -579,11 +595,11 @@ class TestTriggerAPI:
         assert data["name"] == "Updated Trigger"
         assert data["is_active"] is False
 
-    def test_delete_trigger(self, client, test_user_token, test_trigger):
+    def test_delete_trigger(self, client, test_user_auth_headers, test_trigger, test_user_token):
         """Test deleting a trigger."""
         response = client.delete(
             f"/api/triggers/{test_trigger.id}",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers=test_user_auth_headers,
         )
 
         assert response.status_code == 204
@@ -616,11 +632,11 @@ class TestTriggerAPI:
         data = response.json()
         assert data["total"] >= 1
 
-    def test_create_trigger_invalid_field(self, client, test_user_token, test_project):
+    def test_create_trigger_invalid_field(self, client, test_user_auth_headers, test_project):
         """Test creating a trigger with invalid field."""
         response = client.post(
             f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers=test_user_auth_headers,
             json={
                 "name": "Invalid Trigger",
                 "trigger_type": "field_change",
@@ -636,11 +652,11 @@ class TestTriggerAPI:
         assert response.status_code == 400
         assert "Invalid condition field" in response.json()["detail"]
 
-    def test_create_trigger_invalid_operator(self, client, test_user_token, test_project):
+    def test_create_trigger_invalid_operator(self, client, test_user_auth_headers, test_project):
         """Test creating a trigger with invalid operator."""
         response = client.post(
             f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers=test_user_auth_headers,
             json={
                 "name": "Invalid Trigger",
                 "trigger_type": "field_change",