Security fixes: headers, bcrypt, error sanitization, xlsx replacement

[Tsopic]

Summary

• Add security headers middleware (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy)
• Increase bcrypt cost factor from 10 to 12 for stronger password hashing
• Replace vulnerable xlsx package with exceljs in frontend
• Add error message sanitization to prevent internal details leakage in API responses
• Create .env.example template documenting all environment variables

Test Plan

• All Go tests pass (19 packages)
• Frontend builds successfully
• npm audit shows 0 vulnerabilities
• cookie package override verified (1.1.1)

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 85.00000% with 3 lines in your changes missing coverage. Please review.

@@            Coverage Diff             @@
##             main      #16      +/-   ##
==========================================
+ Coverage   68.80%   68.83%   +0.02%     
==========================================
  Files          70       72       +2     
  Lines       10480    10499      +19     
==========================================
+ Hits         7211     7227      +16     
- Misses       2976     2978       +2     
- Partials      293      294       +1     

Flag	Coverage Δ
integration	68.83% <85.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c20ea33...4a04f86. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.