feat: production launch — email audit, team invites, security headers, router fixes

- Fix loyalty & monitoring router bugs (_get_router → named routers)
- Implement team invitation email with send_template + seed templates (en/fr/de)
- Add SecurityHeadersMiddleware (nosniff, HSTS, referrer-policy, permissions-policy)
- Build email audit admin page: service, schemas, API, page route, menu, i18n, HTML, JS
- Clean stale TODO in platform-menu-config.js
- Add 67 tests (unit + integration) covering all new functionality

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

main.py

@@ -75,6 +75,7 @@ from middleware.logging import LoggingMiddleware
 
 # Import REFACTORED class-based middleware
 from middleware.platform_context import PlatformContextMiddleware
+from middleware.security_headers import SecurityHeadersMiddleware
 from middleware.store_context import StoreContextMiddleware
 from middleware.storefront_access import StorefrontAccessMiddleware
 from middleware.theme_context import ThemeContextMiddleware
@@ -144,6 +145,10 @@ logger.info("=" * 80)
 logger.info("MIDDLEWARE REGISTRATION")
 logger.info("=" * 80)
 
+# Add security headers middleware (runs early in response chain)
+logger.info("Adding SecurityHeadersMiddleware (security response headers)")
+app.add_middleware(SecurityHeadersMiddleware)
+
 # Add logging middleware (runs first for timing, logs all requests/responses)
 logger.info("Adding LoggingMiddleware (runs first for request timing)")
 app.add_middleware(LoggingMiddleware)