fix(chat,picture,mukke): production readiness audit fixes and tests

Chat (62→82): Add DB indexes on all tables, rate limiting (ThrottlerModule),
space authorization checks (member verification, invite permissions),
input validation DTOs with @MaxLength, complete GDPR user deletion
(templates + usage logs), fix HTML injection in hooks.server.ts.
78 tests added (conversation + space services).

Picture (68→82): Add DB indexes on all tables, foreign key constraints
with cascade rules, rate limiting, webhook endpoint security (secret
header validation), input validation on generate DTO (@Min/@Max on
dimensions/steps/guidance), transaction wrapping for board duplication
and generation completion. 70 tests added (image + board services).

Mukke (62→80): Add 73 new tests (beat, marker, project services) on top
of existing 40 tests, bringing total to 113.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/chat/apps/web/src/hooks.server.ts

@@ -17,9 +17,10 @@ export const handle: Handle = async ({ event, resolve }) => {
 		transformPageChunk: ({ html }) => {
 			// Inject runtime environment variables into the HTML
 			// These will be available on window.__PUBLIC_*__ for client-side code
+			// Use JSON.stringify to prevent HTML/script injection
 			const envScript = `<script>
-window.__PUBLIC_MANA_CORE_AUTH_URL__ = "${PUBLIC_MANA_CORE_AUTH_URL_CLIENT}";
-window.__PUBLIC_BACKEND_URL__ = "${PUBLIC_BACKEND_URL_CLIENT}";
+window.__PUBLIC_MANA_CORE_AUTH_URL__ = ${JSON.stringify(PUBLIC_MANA_CORE_AUTH_URL_CLIENT)};
+window.__PUBLIC_BACKEND_URL__ = ${JSON.stringify(PUBLIC_BACKEND_URL_CLIENT)};
 </script>`;
 			return html.replace('<head>', `<head>${envScript}`);
 		},