security: fix auth, CORS, file upload, endpoint hardening + test fixes

- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
  dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/tests/unit/test_repositories.py

@@ -56,7 +56,7 @@ async def test_band_is_member_calls_get_member_role(mock_session):
     band_id = uuid.uuid4()
     member_id = uuid.uuid4()
 
-    result_mock = AsyncMock()
+    result_mock = MagicMock()
     result_mock.scalar_one_or_none.return_value = "admin"
     mock_session.execute.return_value = result_mock
 
@@ -70,7 +70,7 @@ async def test_band_is_member_false_when_no_role(mock_session):
     band_id = uuid.uuid4()
     member_id = uuid.uuid4()
 
-    result_mock = AsyncMock()
+    result_mock = MagicMock()
     result_mock.scalar_one_or_none.return_value = None
     mock_session.execute.return_value = result_mock