feat: implement security, error resilience, and query optimization proposals

Security Validation (enhance-security-validation):
- JWT secret validation with entropy checking and pattern detection
- CSRF protection middleware with token generation/validation
- Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests
- MIME type validation with magic bytes detection for file uploads

Error Resilience (add-error-resilience):
- React ErrorBoundary component with fallback UI and retry functionality
- ErrorBoundaryWithI18n wrapper for internationalization support
- Page-level and section-level error boundaries in App.tsx

Query Performance (optimize-query-performance):
- Query monitoring utility with threshold warnings
- N+1 query fixes using joinedload/selectinload
- Optimized project members, tasks, and subtasks endpoints

Bug Fixes:
- WebSocket session management (P0): Return primitives instead of ORM objects
- LIKE query injection (P1): Escape special characters in search queries

Tests: 543 backend tests, 56 frontend tests passing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/projects/router.py

@@ -1,7 +1,7 @@
 import uuid
 from typing import List
 from fastapi import APIRouter, Depends, HTTPException, status, Request
-from sqlalchemy.orm import Session
+from sqlalchemy.orm import Session, joinedload, selectinload
 
 from app.core.database import get_db
 from app.models import User, Space, Project, TaskStatus, AuditAction, ProjectMember, ProjectTemplate, CustomField
@@ -55,6 +55,8 @@ async def list_projects_in_space(
 ):
     """
     List all projects in a space that the user can access.
+
+    Optimized to avoid N+1 queries by using joinedload/selectinload for relationships.
     """
     space = db.query(Space).filter(Space.id == space_id, Space.is_active == True).first()
 
@@ -70,13 +72,21 @@ async def list_projects_in_space(
             detail="Access denied",
         )
 
-    projects = db.query(Project).filter(Project.space_id == space_id, Project.is_active == True).all()
+    # Use joinedload to eagerly load owner, space, and department
+    # Use selectinload for tasks (one-to-many) to avoid cartesian product issues
+    projects = db.query(Project).options(
+        joinedload(Project.owner),
+        joinedload(Project.space),
+        joinedload(Project.department),
+        selectinload(Project.tasks),
+    ).filter(Project.space_id == space_id, Project.is_active == True).all()
 
     # Filter by project access
     accessible_projects = [p for p in projects if check_project_access(current_user, p)]
 
     result = []
     for project in accessible_projects:
+        # Access pre-loaded relationships - no additional queries needed
         task_count = len(project.tasks) if project.tasks else 0
         result.append(ProjectWithDetails(
             id=project.id,
@@ -422,6 +432,10 @@ async def list_project_members(
     List all members of a project.
 
     Only users with project access can view the member list.
+
+    Optimized to avoid N+1 queries by using joinedload for user relationships.
+    This loads all members and their related users in at most 2 queries instead of
+    one query per member.
     """
     project = db.query(Project).filter(Project.id == project_id, Project.is_active == True).first()
 
@@ -437,14 +451,20 @@ async def list_project_members(
             detail="Access denied",
         )
 
-    members = db.query(ProjectMember).filter(
+    # Use joinedload to eagerly load user and added_by_user relationships
+    # This avoids N+1 queries when accessing member.user and member.added_by_user
+    members = db.query(ProjectMember).options(
+        joinedload(ProjectMember.user).joinedload(User.department),
+        joinedload(ProjectMember.added_by_user),
+    ).filter(
         ProjectMember.project_id == project_id
     ).all()
 
     member_list = []
     for member in members:
-        user = db.query(User).filter(User.id == member.user_id).first()
-        added_by_user = db.query(User).filter(User.id == member.added_by).first()
+        # Access pre-loaded relationships - no additional queries needed
+        user = member.user
+        added_by_user = member.added_by_user
 
         member_list.append(ProjectMemberWithDetails(
             id=member.id,