feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs)

Security hardening: CORS lockdown, rate limiting middleware con sliding
window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options),
session cookie hardening, filename sanitization upload.

i18n completion: internazionalizzati barcode.js e csv-export.js con bridge
window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe.

Tablet UX: touch target 44px per dispositivi coarse pointer.

Test suite: 101 test totali (76 server + 25 client), copertura completa
di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload,
security integration. Infrastruttura SQLite async in-memory con fixtures.

Fix critici: MissingGreenlet in recipe_service (selectinload eager),
route ordering tasks.py, auth_service bcrypt diretto, Measurement.id
Integer per SQLite.

Documentazione: API.md (riferimento completo 40+ endpoint),
DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL),
USER_GUIDE.md (manuale utente per ruolo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/routers/files.py

@@ -1,5 +1,6 @@
 """File upload/download/delete router for images and PDFs."""
 import os
+import re
 from pathlib import Path
 
 from fastapi import APIRouter, Depends, File, HTTPException, UploadFile, status
@@ -29,6 +30,41 @@ def validate_file_size(file_size: int) -> bool:
     return file_size <= max_bytes
 
 
+def sanitize_filename(filename: str) -> str:
+    """Sanitize an uploaded filename to prevent path traversal and injection.
+
+    - Strips directory path separators (/ and \\).
+    - Only allows alphanumeric characters, dots, hyphens, and underscores.
+    - Rejects filenames starting with '.' (hidden files).
+    - Rejects empty filenames.
+
+    Returns:
+        The sanitized filename.
+
+    Raises:
+        HTTPException: If filename is empty or starts with '.'.
+    """
+    # Strip any path separators to prevent directory traversal
+    filename = filename.replace("/", "").replace("\\", "")
+
+    # Remove any characters not in the allowed set
+    filename = re.sub(r"[^a-zA-Z0-9._-]", "", filename)
+
+    if not filename:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Filename is empty or contains only invalid characters.",
+        )
+
+    if filename.startswith("."):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Filenames starting with '.' are not allowed.",
+        )
+
+    return filename
+
+
 def generate_thumbnail(image_path: Path, thumbnail_path: Path, max_size: tuple[int, int] = (200, 200)):
     """Generate a thumbnail for an image."""
     try:
@@ -78,15 +114,18 @@ async def upload_file(
 
     storage_dir.mkdir(parents=True, exist_ok=True)
 
+    # Sanitize the uploaded filename
+    safe_filename = sanitize_filename(file.filename or "")
+
     # Generate unique filename if file already exists
-    file_path = storage_dir / file.filename
+    file_path = storage_dir / safe_filename
     counter = 1
     while file_path.exists():
-        name_parts = file.filename.rsplit(".", 1)
+        name_parts = safe_filename.rsplit(".", 1)
         if len(name_parts) == 2:
             file_path = storage_dir / f"{name_parts[0]}_{counter}.{name_parts[1]}"
         else:
-            file_path = storage_dir / f"{file.filename}_{counter}"
+            file_path = storage_dir / f"{safe_filename}_{counter}"
         counter += 1
 
     # Write file