feat(security): add CSRF token validation for state-changing requests

[vishu-bh]

🔗 Related Issue

Closes #543

---

📝 Summary

What does this PR do and why?

Implements a unified CSRF protection system for ContextForge and binds CSRF tokens to authenticated JWT sessions (via verified jti). The change replaces the legacy admin‑only CSRF path with a single, consistent CSRF cookie/header across UI and API flows, backed by configurable settings. It adds middleware enforcement for unsafe methods, a /auth/csrf-token refresh endpoint, and Admin UI updates (meta tags + JS injection) so forms/fetch automatically carry the CSRF header. Default exemptions are expanded for admin login/reset flows and path exemptions now support prefix matching. Tests and templates are updated to align with the unified CSRF cookie name and behavior.

Key implementation points:

• CSRF token generation/validation uses csrf_secret_key and JWT jti session binding.
• Admin UI now relies on the unified CSRF token and metadata in admin.html + admin.js.
• Auth and password‑reset templates read the unified CSRF cookie.
• Exempt paths include /admin/login, /admin/forgot-password, /admin/reset-password with prefix support.
• Updated unit tests for admin and CSRF middleware.

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint
Unit tests	make test	✅
Coverage ≥ 80%	make coverage

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

Screenshots, design decisions, or additional context.

[crivetimihai]

Thanks @vishu-bh for working on this. Heads up: PR #3134 by the maintainer also implements CSRF token validation and is significantly further along. It may make sense to coordinate to avoid duplicated effort — the maintainer's version may land first. Let me know if you'd like to focus on a different issue instead, or if there are aspects your approach covers that #3134 doesn't.