feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs)

Security hardening: CORS lockdown, rate limiting middleware con sliding
window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options),
session cookie hardening, filename sanitization upload.

i18n completion: internazionalizzati barcode.js e csv-export.js con bridge
window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe.

Tablet UX: touch target 44px per dispositivi coarse pointer.

Test suite: 101 test totali (76 server + 25 client), copertura completa
di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload,
security integration. Infrastruttura SQLite async in-memory con fixtures.

Fix critici: MissingGreenlet in recipe_service (selectinload eager),
route ordering tasks.py, auth_service bcrypt diretto, Measurement.id
Integer per SQLite.

Documentazione: API.md (riferimento completo 40+ endpoint),
DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL),
USER_GUIDE.md (manuale utente per ruolo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

client/tests/test_statistics.py

@@ -0,0 +1,88 @@
+"""Tests for statistics blueprint (client/blueprints/statistics.py).
+
+Covers dashboard rendering, role enforcement, and SPC/summary API proxies.
+"""
+import pytest
+
+
+class TestDashboard:
+    """GET /statistics/dashboard tests."""
+
+    def test_dashboard_renders(self, logged_in_client, mock_api_client):
+        """Dashboard renders for Metrologist role."""
+        mock_api_client.get.return_value = {
+            "items": [
+                {"id": 1, "code": "REC-001", "name": "Recipe A"},
+            ],
+            "total": 1,
+            "pages": 1,
+        }
+
+        resp = logged_in_client.get("/statistics/dashboard")
+        assert resp.status_code == 200
+
+    def test_dashboard_requires_login(self, client):
+        """Unauthenticated user is redirected to login."""
+        resp = client.get("/statistics/dashboard", follow_redirects=False)
+        assert resp.status_code == 302
+        assert "/auth/login" in resp.headers["Location"]
+
+
+class TestRoleRequired:
+    """Metrologist role enforcement tests."""
+
+    def test_requires_metrologist_role(self, flask_app):
+        """User without Metrologist role gets 403 on statistics endpoints."""
+        with flask_app.test_client() as c:
+            with c.session_transaction() as sess:
+                sess["api_key"] = "test-key"
+                sess["user"] = {
+                    "id": 3,
+                    "username": "maker_only",
+                    "display_name": "Maker Only",
+                    "roles": ["Maker"],
+                    "is_admin": False,
+                    "language_pref": "en",
+                    "theme_pref": "light",
+                    "active": True,
+                }
+                sess["user_id"] = 3
+                sess["language"] = "en"
+                sess["theme"] = "light"
+
+            resp = c.get("/statistics/dashboard")
+            assert resp.status_code == 403
+
+
+class TestSPCProxy:
+    """SPC data proxy endpoint tests."""
+
+    def test_summary_proxy(self, logged_in_client, mock_api_client):
+        """Summary API proxy returns JSON from backend."""
+        mock_api_client.get.return_value = {
+            "total": 100,
+            "pass_count": 90,
+            "fail_count": 5,
+            "warning_count": 5,
+        }
+
+        resp = logged_in_client.get(
+            "/statistics/api/summary?recipe_id=1"
+        )
+        assert resp.status_code == 200
+        data = resp.get_json()
+        assert data["total"] == 100
+
+    def test_capability_proxy(self, logged_in_client, mock_api_client):
+        """Capability API proxy returns JSON from backend."""
+        mock_api_client.get.return_value = {
+            "cp": 1.33,
+            "cpk": 1.20,
+        }
+
+        resp = logged_in_client.get(
+            "/statistics/api/capability?recipe_id=1&subtask_id=1"
+        )
+        assert resp.status_code == 200
+        data = resp.get_json()
+        assert "cp" in data