security: fix auth, CORS, file upload, endpoint hardening + test fixes

- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
  dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/tests/unit/conftest.py

@@ -0,0 +1,18 @@
+"""Unit test fixtures — sets required env vars so Settings() loads without a .env file."""
+
+import pytest
+
+
+@pytest.fixture(autouse=True)
+def patch_settings(monkeypatch):
+    """Provide the minimum env vars that Settings() requires for unit tests."""
+    monkeypatch.setenv("SECRET_KEY", "a" * 64)
+    monkeypatch.setenv("INTERNAL_SECRET", "b" * 64)
+    monkeypatch.setenv("DATABASE_URL", "postgresql+asyncpg://test:test@localhost/test")
+
+    # Clear the lru_cache so each test gets a fresh Settings instance with the
+    # monkeypatched env vars rather than the cached production instance.
+    from rehearsalhub.config import get_settings
+    get_settings.cache_clear()
+    yield
+    get_settings.cache_clear()