Sicherheit + Tests + A11y, SW by-v1118

PYDANTIC max_length (38 Routen, ~400 Field-Constraints):
Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.).
Pragmatische Limits:
- Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000
- Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100
- Hund-Name/Rasse: 80 · Hund-Bio: 2000

Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py,
notes.py, auth.py, profile.py. Manuelle len()-Checks in profile,
chat, ki entfernt (jetzt durch Field abgedeckt).

PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail):
- test_security.py: require_owner (Places GET/PATCH/DELETE mit
  Fremduser → 403), JWT-Blacklist (Logout invalidiert Token),
  Login-Lockout (5 Fehlversuche → 429 + Retry-After Header)
- test_race.py: Invoice-Counter (20 parallele Threads, alle unique),
  Founder-Number (atomare Vergabe, voll bei 100)
- test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text
  50k → 422 (verifiziert Pydantic max_length-Sweep)

A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast):
- #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44
- dog-profile Wrapped-Slider Prev/Next 40→44
- forum-Lightbox Close 40→44
- --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS)
- --c-text-muted Dark:  #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS)
- Branding-Farben unangetastet

backend/routes/osm.py

@@ -9,7 +9,7 @@ import httpx
 import logging
 from typing   import Optional
 from fastapi  import APIRouter, Query, BackgroundTasks, Depends, HTTPException
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from database import db
 from auth import get_current_user, get_current_user_optional as get_optional_user
 
@@ -273,11 +273,11 @@ async def get_pois(
 # POST /user-poi — Community-Marker setzen
 # ------------------------------------------------------------------
 class UserPoiIn(BaseModel):
-    type:  str
+    type:  str            = Field(..., max_length=200)
     lat:   float
     lon:   float
-    name:  Optional[str] = None
-    notiz: Optional[str] = None
+    name:  Optional[str] = Field(None, max_length=300)
+    notiz: Optional[str] = Field(None, max_length=2000)
 
 ALLOWED_TYPES = {
     'waste_basket', 'drinking_water', 'dog_park',
@@ -331,8 +331,8 @@ async def delete_user_poi(poi_id: int, user = Depends(get_current_user)):
 # POST /report — Marker als ungültig melden
 # ------------------------------------------------------------------
 class ReportIn(BaseModel):
-    type:        str
-    grund:       str
+    type:        str           = Field(..., max_length=100)
+    grund:       str           = Field(..., max_length=200)
     osm_id:      Optional[int] = None
     user_poi_id: Optional[int] = None
 
@@ -388,9 +388,9 @@ async def analyze_region(
 # POST /pois/{osm_id}/edit — Nutzer schlägt Korrektur vor
 # ------------------------------------------------------------------
 class PoiEditCreate(BaseModel):
-    poi_name:  str
-    field:     str = 'opening_hours'
-    new_value: str
+    poi_name:  str = Field(..., max_length=300)
+    field:     str = Field('opening_hours', max_length=50)
+    new_value: str = Field(..., max_length=1000)
 
 
 @router.post('/pois/{osm_id}/edit', status_code=201)