feat: implement security, error resilience, and query optimization proposals

Security Validation (enhance-security-validation):
- JWT secret validation with entropy checking and pattern detection
- CSRF protection middleware with token generation/validation
- Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests
- MIME type validation with magic bytes detection for file uploads

Error Resilience (add-error-resilience):
- React ErrorBoundary component with fallback UI and retry functionality
- ErrorBoundaryWithI18n wrapper for internationalization support
- Page-level and section-level error boundaries in App.tsx

Query Performance (optimize-query-performance):
- Query monitoring utility with threshold warnings
- N+1 query fixes using joinedload/selectinload
- Optimized project members, tasks, and subtasks endpoints

Bug Fixes:
- WebSocket session management (P0): Return primitives instead of ORM objects
- LIKE query injection (P1): Escape special characters in search queries

Tests: 543 backend tests, 56 frontend tests passing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/attachments/router.py

@@ -24,6 +24,7 @@ from app.services.encryption_service import (
     MasterKeyNotConfiguredError,
     DecryptionError,
 )
+from app.middleware.csrf import require_csrf_token
 
 logger = logging.getLogger(__name__)
 
@@ -610,13 +611,14 @@ async def download_attachment(
 
 
 @router.delete("/attachments/{attachment_id}")
+@require_csrf_token
 async def delete_attachment(
     attachment_id: str,
     request: Request,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
-    """Soft delete an attachment."""
+    """Soft delete an attachment. Requires CSRF token in X-CSRF-Token header."""
     attachment = get_attachment_with_access_check(db, attachment_id, current_user, require_edit=True)
 
     # Soft delete