fix: critical security hardening (Phase A permissions audit)

- Remove role field from UserCreate schema, hardcode 'engineer' at registration
- Escape all user content in HTML export with html.escape() (XSS fix)
- Add field_validator to reject default SECRET_KEY when DEBUG=False
- Add CHECK constraint on users.role ('engineer'|'viewer') + migration 011
- Fix test_admin fixture to properly grant is_super_admin via ORM
- Fix circular FK (users↔invite_codes) in test DB setup with DROP SCHEMA CASCADE
- Add 5 new security tests (role validation + XSS prevention)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/auth.py

@@ -75,7 +75,7 @@ async def register(
         email=user_data.email,
         password_hash=get_password_hash(user_data.password),
         name=user_data.name,
-        role=user_data.role,
+        role="engineer",
         invite_code_id=invite_code_record.id if invite_code_record else None
     )
     db.add(new_user)