test: add export security tests and CI coverage reporting
Export security tests (26 new tests):
- 11 XSS prevention tests covering all user-supplied fields in HTML export
(tree name, ticket, client, decisions, notes, timestamps, scratchpad)
- 7 edge case tests (unicode/emoji, empty decisions, missing fields, long content)
- 5 format-specific tests (markdown headers, text numbering)
- 3 HTML structure tests (valid document, CSS, timestamp toggle)
CI coverage reporting:
- Add --cov=app --cov-report flags to pytest in GitHub Actions
- Display per-module coverage summary after test run
- Baseline: 63% overall, 98% on export_service.py
Total tests: 215 (189 existing + 26 new)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
e216d5039e