fix: code review fixes — date calc, input validation, rate limits, shared components

- Fix monthly_reset_at crash when billing anchor day exceeds next month's length
- Add environment_tags sanitization (max 20 tags, 100 chars each) to prevent prompt injection
- Add @limiter.limit("10/minute") rate limiting to all AI endpoints
- Use getTreeNavigatePath() routing helper instead of hardcoded paths
- Extract shared CreateFlowDropdown component from QuickStartPage and TreeLibraryPage
- Clear useCachedQuota on logout to prevent stale data across user sessions
- Add useRef guard to scaffold useEffect to prevent potential double-fire
- Use node.id as React key instead of array index in BranchDetailView
- Remove redundant dead logic in ai_tree_validator

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/schemas/ai_builder.py

@@ -2,7 +2,7 @@
 from typing import Any, Literal, Optional
 from uuid import UUID
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, Field, field_validator
 
 
 # ── Requests ──
@@ -17,7 +17,17 @@ class AIStartRequest(BaseModel):
     category_id: Optional[UUID] = None
     name: str = Field(..., min_length=1, max_length=255)
     description: str = Field("", max_length=2000)
-    environment_tags: list[str] = Field(default_factory=list)
+    environment_tags: list[str] = Field(default_factory=list, max_length=20)
+
+    @field_validator("environment_tags")
+    @classmethod
+    def validate_tags(cls, v: list[str]) -> list[str]:
+        for tag in v:
+            if len(tag) > 100:
+                raise ValueError("Each environment tag must be 100 characters or fewer")
+            if not tag.strip():
+                raise ValueError("Environment tags must not be empty")
+        return v
 
 
 class AIScaffoldRequest(BaseModel):