security: N-1 uvicorn proxy-headers + N-2 Token-Reuse-Detection + N-3 XSS-Audit + N-4 Token-URL-Fragment + N-5 pip-audit CI

N-1: uvicorn --proxy-headers --forwarded-allow-ips=127.0.0.1
- timemaster.service: proxy-headers Flag gesetzt (beide Server)

N-2: Refresh-Token Re-Use-Detection
- auth_service.py: verbrauchter Token-Hash 48h in Redis (burned_token:<hash>)
- Bei erneutem Einsatz: alle Sessions invalidieren + AuditLog + HTTP 401

N-3: dangerouslySetInnerHTML-Audit
- Kein Vorkommen im Frontend gefunden — sauber

N-4: Reset/Invite-Token als URL-Fragment statt Query-Parameter
- email_service.py: ?token= → # (Fragment wird nicht in Referer gesendet)
- ResetPasswordPage.tsx: useSearchParams → window.location.hash.slice(1)
- Token-Lebensdauern geprüft: Reset 1h, Invite 7d — OK

N-5: Gitea CI Security-Workflow
- .gitea/workflows/security.yml: pip-audit + npm audit
- Trigger: push/PR auf main + wöchentlich montags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/email_service.py

@@ -112,7 +112,7 @@ class EmailService:
 
     async def send_invite(self, user: "User", invited_by: "User", raw_token: str, db: AsyncSession) -> None:
         cfg = await self._load_smtp(user.company_id, db)
-        invite_url = f"{settings.frontend_url}/invite/accept?token={raw_token}"
+        invite_url = f"{settings.frontend_url}/invite/accept#{raw_token}"
         body = f"""
         <h1>Du wurdest eingeladen!</h1>
         <p><strong>{invited_by.full_name}</strong> hat dich zu <strong>{settings.app_name}</strong> eingeladen.</p>
@@ -130,7 +130,7 @@ class EmailService:
 
     async def send_password_reset(self, user: "User", raw_token: str, db: AsyncSession) -> None:
         cfg = await self._load_smtp(user.company_id, db)
-        reset_url = f"{settings.frontend_url}/auth/reset-password?token={raw_token}"
+        reset_url = f"{settings.frontend_url}/auth/reset-password#{raw_token}"
         body = f"""
         <h1>Passwort zurücksetzen</h1>
         <p>Hallo {user.first_name},</p>