Sicherheit + Tests + A11y, SW by-v1118

PYDANTIC max_length (38 Routen, ~400 Field-Constraints):
Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.).
Pragmatische Limits:
- Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000
- Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100
- Hund-Name/Rasse: 80 · Hund-Bio: 2000

Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py,
notes.py, auth.py, profile.py. Manuelle len()-Checks in profile,
chat, ki entfernt (jetzt durch Field abgedeckt).

PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail):
- test_security.py: require_owner (Places GET/PATCH/DELETE mit
  Fremduser → 403), JWT-Blacklist (Logout invalidiert Token),
  Login-Lockout (5 Fehlversuche → 429 + Retry-After Header)
- test_race.py: Invoice-Counter (20 parallele Threads, alle unique),
  Founder-Number (atomare Vergabe, voll bei 100)
- test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text
  50k → 422 (verifiziert Pydantic max_length-Sweep)

A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast):
- #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44
- dog-profile Wrapped-Slider Prev/Next 40→44
- forum-Lightbox Close 40→44
- --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS)
- --c-text-muted Dark:  #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS)
- Branding-Farben unangetastet

backend/routes/auth.py

@@ -10,7 +10,7 @@ from typing import Optional
 import jwt as _pyjwt
 from fastapi import APIRouter, HTTPException, Request, Response, Depends
 from fastapi.responses import RedirectResponse
-from pydantic import BaseModel, EmailStr
+from pydantic import BaseModel, EmailStr, Field
 from database import db
 from auth import (
     hash_password, verify_password, create_token,
@@ -146,13 +146,13 @@ def _send_verification_email(email: str, name: str, token: str):
 
 class LoginRequest(BaseModel):
     email:    EmailStr
-    password: str
+    password: str = Field(..., min_length=1, max_length=200)
 
 class RegisterRequest(BaseModel):
     email:    EmailStr
-    password: str
-    name:     str
-    ref_code: Optional[str] = None
+    password: str = Field(..., min_length=8, max_length=200)
+    name:     str = Field(..., min_length=2, max_length=40)
+    ref_code: Optional[str] = Field(None, max_length=50)
 
 
 def _gen_referral_code() -> str:
@@ -426,8 +426,8 @@ class ForgotPasswordRequest(BaseModel):
     email: EmailStr
 
 class ResetPasswordRequest(BaseModel):
-    token: str
-    password: str
+    token:    str = Field(..., min_length=10, max_length=200)
+    password: str = Field(..., min_length=8, max_length=200)
 
 @router.post("/forgot-password")
 async def forgot_password(data: ForgotPasswordRequest, request: Request):
@@ -471,8 +471,8 @@ async def forgot_password(data: ForgotPasswordRequest, request: Request):
 
 
 class UpgradeRequestBody(BaseModel):
-    tier:    str
-    message: Optional[str] = None
+    tier:    str           = Field(..., max_length=50)
+    message: Optional[str] = Field(None, max_length=2000)
 
 @router.post("/upgrade-request")
 async def create_upgrade_request(data: UpgradeRequestBody, user=Depends(get_current_user)):