feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs)

Security hardening: CORS lockdown, rate limiting middleware con sliding
window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options),
session cookie hardening, filename sanitization upload.

i18n completion: internazionalizzati barcode.js e csv-export.js con bridge
window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe.

Tablet UX: touch target 44px per dispositivi coarse pointer.

Test suite: 101 test totali (76 server + 25 client), copertura completa
di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload,
security integration. Infrastruttura SQLite async in-memory con fixtures.

Fix critici: MissingGreenlet in recipe_service (selectinload eager),
route ordering tasks.py, auth_service bcrypt diretto, Measurement.id
Integer per SQLite.

Documentazione: API.md (riferimento completo 40+ endpoint),
DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL),
USER_GUIDE.md (manuale utente per ruolo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/routers/tasks.py

@@ -180,46 +180,6 @@ async def create_task(
     return TaskResponse.model_validate(new_task)
 
 
-@router.put("/api/tasks/{task_id}", response_model=TaskResponse)
-async def update_task(
-    task_id: int,
-    data: TaskUpdate,
-    _user: User = Depends(require_maker),
-    db: AsyncSession = Depends(get_db),
-):
-    """Update a task. The task must belong to the current version. Requires Maker role."""
-    task = await _get_task_or_404(db, task_id)
-    await _ensure_version_is_current(db, task.version_id)
-
-    update_data = data.model_dump(exclude_unset=True)
-    if not update_data:
-        return TaskResponse.model_validate(task)
-
-    for field, value in update_data.items():
-        setattr(task, field, value)
-
-    await db.flush()
-    await db.refresh(task, attribute_names=["subtasks"])
-    return TaskResponse.model_validate(task)
-
-
-@router.delete("/api/tasks/{task_id}", status_code=204)
-async def delete_task(
-    task_id: int,
-    _user: User = Depends(require_maker),
-    db: AsyncSession = Depends(get_db),
-):
-    """Delete a task and its subtasks. The task must belong to the current version.
-
-    Requires Maker role.
-    """
-    task = await _get_task_or_404(db, task_id)
-    await _ensure_version_is_current(db, task.version_id)
-
-    await db.delete(task)
-    await db.flush()
-
-
 @router.put("/api/tasks/reorder", response_model=list[TaskResponse])
 async def reorder_tasks(
     data: TaskReorderRequest,
@@ -270,6 +230,46 @@ async def reorder_tasks(
     return [TaskResponse.model_validate(t) for t in ordered]
 
 
+@router.put("/api/tasks/{task_id}", response_model=TaskResponse)
+async def update_task(
+    task_id: int,
+    data: TaskUpdate,
+    _user: User = Depends(require_maker),
+    db: AsyncSession = Depends(get_db),
+):
+    """Update a task. The task must belong to the current version. Requires Maker role."""
+    task = await _get_task_or_404(db, task_id)
+    await _ensure_version_is_current(db, task.version_id)
+
+    update_data = data.model_dump(exclude_unset=True)
+    if not update_data:
+        return TaskResponse.model_validate(task)
+
+    for field, value in update_data.items():
+        setattr(task, field, value)
+
+    await db.flush()
+    await db.refresh(task, attribute_names=["subtasks"])
+    return TaskResponse.model_validate(task)
+
+
+@router.delete("/api/tasks/{task_id}", status_code=204)
+async def delete_task(
+    task_id: int,
+    _user: User = Depends(require_maker),
+    db: AsyncSession = Depends(get_db),
+):
+    """Delete a task and its subtasks. The task must belong to the current version.
+
+    Requires Maker role.
+    """
+    task = await _get_task_or_404(db, task_id)
+    await _ensure_version_is_current(db, task.version_id)
+
+    await db.delete(task)
+    await db.flush()
+
+
 # ---------------------------------------------------------------------------
 # Subtask endpoints
 # ---------------------------------------------------------------------------