test: add export security tests and CI coverage reporting

Export security tests (26 new tests):
- 11 XSS prevention tests covering all user-supplied fields in HTML export
  (tree name, ticket, client, decisions, notes, timestamps, scratchpad)
- 7 edge case tests (unicode/emoji, empty decisions, missing fields, long content)
- 5 format-specific tests (markdown headers, text numbering)
- 3 HTML structure tests (valid document, CSS, timestamp toggle)

CI coverage reporting:
- Add --cov=app --cov-report flags to pytest in GitHub Actions
- Display per-module coverage summary after test run
- Baseline: 63% overall, 98% on export_service.py

Total tests: 215 (189 existing + 26 new)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -47,8 +47,28 @@ jobs:
       - name: Install dependencies
         run: pip install -r backend/requirements.txt -r backend/requirements-dev.txt
 
-      - name: Run tests
-        run: cd backend && python -m pytest --override-ini="addopts="
+      - name: Run tests with coverage
+        run: cd backend && python -m pytest --override-ini="addopts=" --cov=app --cov-report=term-missing --cov-report=json:coverage.json
+
+      - name: Display coverage summary
+        if: always()
+        run: |
+          cd backend
+          python -c "
+          import json
+          with open('coverage.json') as f:
+              data = json.load(f)
+          total = data['totals']['percent_covered_display']
+          print(f'Total coverage: {total}%')
+          print()
+          print('Module coverage:')
+          for fname, fdata in sorted(data['files'].items()):
+              pct = fdata['summary']['percent_covered_display']
+              if float(pct) < 80:
+                  print(f'  ⚠ {fname}: {pct}%')
+              else:
+                  print(f'  ✓ {fname}: {pct}%')
+          "
 
   frontend:
     runs-on: ubuntu-latest