Fix medium-severity issues from follow-up security audit

Addresses the remaining medium findings from the second-pass audit:

- DoS hardening: bound GraphQL query cost with FixedComplexityLimit, and
  reject non-positive items-per-page / page values so uint64 conversion
  cannot underflow into an unbounded LIMIT/OFFSET. The -1 "load all"
  sentinel stays valid for dashboards; REST now returns 400 for bad input.

- Security headers: add X-Content-Type-Options, X-Frame-Options,
  Referrer-Policy and a conservative CSP (frame-ancestors/object-src/
  base-uri) that hardens against clickjacking and base-tag injection
  without restricting the self-hosted SPA's inline scripts.

- Stored XSS: render job.metaData.message as escaped text instead of
  {@html ...} in Job.root and JobFootprint, preserving line breaks via
  white-space: pre-wrap.

- SQL injection hardening: parameterize the tag-scope IN list and the
  manager project subquery in CountTags instead of interpolating
  user.Username / user.Projects (externally sourced via OIDC/LDAP).

- CSRF defense-in-depth: reject cross-site state-changing requests via
  Sec-Fetch-Site, failing open for non-browser clients, on top of the
  existing SameSite=Lax session cookie.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: de7d47a85c7c

internal/repository/jobQuery.go

@@ -76,8 +76,15 @@ func (r *JobRepository) QueryJobs(
 	}
 
 	if page != nil && page.ItemsPerPage != -1 {
+		// -1 is the only valid non-positive value ("load all"); reject other
+		// non-positive values so that uint64(page.ItemsPerPage) cannot underflow
+		// into a huge limit. Clamp Page to >= 1 to avoid the same on the offset.
+		if page.ItemsPerPage < 1 {
+			return nil, fmt.Errorf("invalid items-per-page value: %d", page.ItemsPerPage)
+		}
+		p := max(page.Page, 1)
 		limit := uint64(page.ItemsPerPage)
-		query = query.Offset((uint64(page.Page) - 1) * limit).Limit(limit)
+		query = query.Offset((uint64(p) - 1) * limit).Limit(limit)
 	}
 
 	for _, f := range filters {