security: fix auth, CORS, file upload, endpoint hardening + test fixes

- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
  dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/tests/unit/test_queue.py

@@ -5,7 +5,7 @@ from unittest.mock import AsyncMock, MagicMock, patch
 
 import pytest
 
-from rehearsalhub.queue.redis_queue import RedisJobQueue
+from rehearsalhub.queue.redis_queue import RedisJobQueue, flush_pending_pushes
 
 
 @pytest.mark.asyncio
@@ -34,6 +34,9 @@ async def test_enqueue_creates_job_and_pushes_to_redis(mock_session):
     job_id = await queue.enqueue("transcode", {"version_id": "abc"})
 
     mock_session.add.assert_called_once()
+    # The Redis push is deferred; it fires when flush_pending_pushes is called after commit.
+    mock_redis.rpush.assert_not_called()
+    await flush_pending_pushes(mock_session)
     mock_redis.rpush.assert_called_once()