Sicherheit + Tests + A11y, SW by-v1118

PYDANTIC max_length (38 Routen, ~400 Field-Constraints):
Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.).
Pragmatische Limits:
- Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000
- Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100
- Hund-Name/Rasse: 80 · Hund-Bio: 2000

Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py,
notes.py, auth.py, profile.py. Manuelle len()-Checks in profile,
chat, ki entfernt (jetzt durch Field abgedeckt).

PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail):
- test_security.py: require_owner (Places GET/PATCH/DELETE mit
  Fremduser → 403), JWT-Blacklist (Logout invalidiert Token),
  Login-Lockout (5 Fehlversuche → 429 + Retry-After Header)
- test_race.py: Invoice-Counter (20 parallele Threads, alle unique),
  Founder-Number (atomare Vergabe, voll bei 100)
- test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text
  50k → 422 (verifiziert Pydantic max_length-Sweep)

A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast):
- #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44
- dog-profile Wrapped-Slider Prev/Next 40→44
- forum-Lightbox Close 40→44
- --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS)
- --c-text-muted Dark:  #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS)
- Branding-Farben unangetastet

backend/routes/dogs.py

@@ -3,7 +3,7 @@
 import os
 import uuid
 from fastapi import APIRouter, Depends, HTTPException, UploadFile, File
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import Optional
 from database import db
 from auth import get_current_user, has_pro_access
@@ -29,28 +29,28 @@ MEDIA_DIR = os.getenv("MEDIA_DIR", "/data/media")
 
 
 class DogCreate(BaseModel):
-    name:         str
-    rasse:        Optional[str] = None
-    geburtstag:   Optional[str] = None
-    geschlecht:   Optional[str] = None
+    name:         str             = Field(..., min_length=1, max_length=80)
+    rasse:        Optional[str]   = Field(None, max_length=80)
+    geburtstag:   Optional[str]   = Field(None, max_length=32)
+    geschlecht:   Optional[str]   = Field(None, max_length=20)
     gewicht_kg:   Optional[float] = None
     widerrist_cm: Optional[float] = None
-    chip_nr:      Optional[str] = None
-    bio:          Optional[str] = None
-    is_public:    bool = False
+    chip_nr:      Optional[str]   = Field(None, max_length=50)
+    bio:          Optional[str]   = Field(None, max_length=2000)
+    is_public:    bool            = False
 
 
 class DogUpdate(BaseModel):
-    name:         Optional[str] = None
-    rasse:        Optional[str] = None
-    rasse_id:     Optional[int] = None
-    geburtstag:   Optional[str] = None
-    geschlecht:   Optional[str] = None
+    name:         Optional[str]   = Field(None, max_length=80)
+    rasse:        Optional[str]   = Field(None, max_length=80)
+    rasse_id:     Optional[int]   = None
+    geburtstag:   Optional[str]   = Field(None, max_length=32)
+    geschlecht:   Optional[str]   = Field(None, max_length=20)
     gewicht_kg:   Optional[float] = None
     widerrist_cm: Optional[float] = None
-    chip_nr:      Optional[str] = None
-    bio:          Optional[str] = None
-    is_public:    Optional[bool] = None
+    chip_nr:      Optional[str]   = Field(None, max_length=50)
+    bio:          Optional[str]   = Field(None, max_length=2000)
+    is_public:    Optional[bool]  = None
 
 
 @router.get("")
@@ -1033,8 +1033,8 @@ async def public_dog_profile(dog_id: int):
 
 
 class FoundReport(BaseModel):
-    message:  Optional[str] = None
-    kontakt:  Optional[str] = None
+    message:  Optional[str] = Field(None, max_length=1000)
+    kontakt:  Optional[str] = Field(None, max_length=300)
 
 
 # Gefunden-Meldung (kein Login nötig)
@@ -1319,7 +1319,7 @@ async def get_dog_timeline(dog_id: int, user=Depends(get_current_user)):
 # POST /api/dogs/{id}/gedenken — Hund als verstorben markieren
 # ------------------------------------------------------------------
 class GedenkenData(BaseModel):
-    verstorben_am: str  # YYYY-MM-DD
+    verstorben_am: str = Field(..., max_length=32)  # YYYY-MM-DD
 
 @router.post("/{dog_id}/gedenken")
 async def mark_verstorben(dog_id: int, data: GedenkenData, user=Depends(get_current_user)):