Sicherheit + Tests + A11y, SW by-v1118

PYDANTIC max_length (38 Routen, ~400 Field-Constraints):
Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.).
Pragmatische Limits:
- Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000
- Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100
- Hund-Name/Rasse: 80 · Hund-Bio: 2000

Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py,
notes.py, auth.py, profile.py. Manuelle len()-Checks in profile,
chat, ki entfernt (jetzt durch Field abgedeckt).

PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail):
- test_security.py: require_owner (Places GET/PATCH/DELETE mit
  Fremduser → 403), JWT-Blacklist (Logout invalidiert Token),
  Login-Lockout (5 Fehlversuche → 429 + Retry-After Header)
- test_race.py: Invoice-Counter (20 parallele Threads, alle unique),
  Founder-Number (atomare Vergabe, voll bei 100)
- test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text
  50k → 422 (verifiziert Pydantic max_length-Sweep)

A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast):
- #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44
- dog-profile Wrapped-Slider Prev/Next 40→44
- forum-Lightbox Close 40→44
- --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS)
- --c-text-muted Dark:  #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS)
- Branding-Farben unangetastet

backend/routes/wiki.py

@@ -6,7 +6,7 @@ import time
 import logging
 from fastapi import APIRouter, Depends, Form, HTTPException, Query, Request, UploadFile, File
 from fastapi.responses import JSONResponse
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from database import db
 from auth import get_current_user, get_current_user_optional
 from ratelimit import check as rl_check, block_ip
@@ -36,9 +36,9 @@ async def honeypot(request: Request):
 # Schemas
 # ------------------------------------------------------------------
 class BerichtCreate(BaseModel):
-    rasse: str
-    titel: str
-    text: str
+    rasse: str = Field(..., max_length=100)
+    titel: str = Field(..., min_length=3, max_length=200)
+    text:  str = Field(..., min_length=10, max_length=10000)
 
 
 # ------------------------------------------------------------------
@@ -411,8 +411,8 @@ async def list_submissions(user=Depends(get_current_user)):
 # PATCH /api/wiki/foto-submissions/{id} — genehmigen oder ablehnen
 # ------------------------------------------------------------------
 class ReviewModel(BaseModel):
-    action: str          # "approve" | "reject"
-    reject_reason: str = ""
+    action:        str = Field(..., max_length=30)          # "approve" | "reject"
+    reject_reason: str = Field("", max_length=2000)
 
 
 @router.patch("/foto-submissions/{sub_id}")
@@ -575,19 +575,19 @@ async def get_rasse_stats(slug: str, user=Depends(get_current_user_optional)):
 # Schemas für Interesse und Züchter
 # ------------------------------------------------------------------
 class InteresseCreate(BaseModel):
-    typ: str   # "hat" oder "will"
+    typ: str = Field(..., max_length=30)   # "hat" oder "will"
 
 class ZuchterCreate(BaseModel):
-    rasse_slug:   str
-    name:         str
-    zwingername:  str = ""
-    ort:          str = ""
-    plz:          str = ""
-    bundesland:   str = ""
+    rasse_slug:   str = Field(..., max_length=100)
+    name:         str = Field(..., min_length=1, max_length=200)
+    zwingername:  str = Field("", max_length=200)
+    ort:          str = Field("", max_length=200)
+    plz:          str = Field("", max_length=20)
+    bundesland:   str = Field("", max_length=100)
     vdh_mitglied: int = 0
-    website:      str = ""
-    telefon:      str = ""
-    beschreibung: str = ""
+    website:      str = Field("", max_length=500)
+    telefon:      str = Field("", max_length=30)
+    beschreibung: str = Field("", max_length=10000)
 
 
 # ------------------------------------------------------------------