cleanup(legibility): convert TODOs to issue refs; justify naming violators

CLEANUP-2 (#413): convert two actionable TODOs to issue-referenced stubs
- +layout.server.ts:29 → TODO(#453) for dedicated admin stats endpoint
- ChronikRow.svelte: TODO(#454) for commentPreview; keep SECURITY line
  as standalone comment (XSS guard stays co-located with the risk)

CLEANUP-3 (#414): add one-line justification comments to both naming
violators — SecurityUtils and GlobalExceptionHandler are both justified
by framework convention; no rename needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/activity/ChronikRow.svelte

@@ -159,15 +159,8 @@ const rowHref: string = $derived(
 		</p>
 
 		{#if variant === 'comment'}
-			<!--
-				TODO: the backend does not yet expose a comment body preview on
-				ActivityFeedItemDTO. Render an ellipsis placeholder until it does —
-				duplicating the document title here looks like the comment is
-				quoting itself (Leonie, PR #288 review).
-				SECURITY: once item.commentPreview lands, render via {text}, never
-				{@html}. The backend must truncate and strip tags server-side (Nora,
-				issue #285 comment #3552).
-			-->
+			<!-- TODO(#454): add commentPreview to ActivityFeedItemDTO, then render here -->
+			<!-- SECURITY: render via {text} not {@html} when commentPreview arrives — XSS risk (#285) -->
 			<p
 				data-testid="chronik-comment-preview"
 				class="mt-1 line-clamp-1 font-serif text-sm text-ink-2 italic sm:line-clamp-2"