fix: address CodeQL security findings (v0.5.2)

- Rate-limit SPA fallback route (missing rate limiting on fs access)
- Add csrfMiddleware to all state-changing auth routes (logout, create
  user, change password, delete user) — previously bypassed global CSRF
  middleware due to router registration order
- Fix incomplete vCard escaping: escape backslashes before other special
  characters to prevent injection via contact fields
- Restrict CI GITHUB_TOKEN to contents: read (least privilege)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/index.js

@@ -163,10 +163,21 @@ app.get('/health', (req, res) => {
   res.json({ status: 'ok', timestamp: new Date().toISOString() });
 });
 
+// --------------------------------------------------------
+// Rate-Limiter für SPA-Fallback (verhindert Dateisystem-Hammering)
+// --------------------------------------------------------
+const spaLimiter = rateLimit({
+  windowMs: 60_000,
+  max: 200,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Zu viele Anfragen. Bitte warte kurz.', code: 429 },
+});
+
 // --------------------------------------------------------
 // SPA Fallback: Alle nicht-API-Routen → index.html
 // --------------------------------------------------------
-app.get('*', (req, res) => {
+app.get('*', spaLimiter, (req, res) => {
   if (req.path.startsWith('/api/')) {
     return res.status(404).json({ error: 'Nicht gefunden.', code: 404 });
   }