cleanup(legibility): convert TODOs to issue refs; justify naming violators

CLEANUP-2 (#413): convert two actionable TODOs to issue-referenced stubs
- +layout.server.ts:29 → TODO(#453) for dedicated admin stats endpoint
- ChronikRow.svelte: TODO(#454) for commentPreview; keep SECURITY line
  as standalone comment (XSS guard stays co-located with the risk)

CLEANUP-3 (#414): add one-line justification comments to both naming
violators — SecurityUtils and GlobalExceptionHandler are both justified
by framework convention; no rename needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/exception/GlobalExceptionHandler.java

@@ -15,6 +15,7 @@ import org.springframework.web.server.ResponseStatusException;
 
 import lombok.extern.slf4j.Slf4j;
 
+// "Handler" is Spring's @RestControllerAdvice naming convention — not a generic suffix.
 @RestControllerAdvice
 @Slf4j
 public class GlobalExceptionHandler {

backend/src/main/java/org/raddatz/familienarchiv/security/SecurityUtils.java

@@ -7,6 +7,7 @@ import org.springframework.security.core.Authentication;
 
 import java.util.UUID;
 
+// Cross-cutting auth helper; no domain home — "Utils" is the correct suffix here.
 public final class SecurityUtils {
 
     private SecurityUtils() {}