fix(transcription): add noreferrer to mention dropdown create-new link

For issue #380 (Nora CWE-116). The "Neue Person anlegen" link opens in
a new tab and was missing `noreferrer` — the new tab could read
window.opener and the referrer leaked the transcription URL. Same-origin
risk is low but the omission was unintentional.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/src/lib/shared/discussion/MentionDropdown.svelte

@@ -188,7 +188,7 @@ function selectItem(item: Person) {
 		<a
 			href="/persons/new"
 			target="_blank"
-			rel="noopener"
+			rel="noopener noreferrer"
 			class="flex min-h-[44px] items-center gap-2 border-t border-line px-3 py-2.5 font-sans text-sm font-medium text-brand-navy hover:bg-canvas focus:bg-canvas focus:outline-none"
 			onmousedown={(e) => e.preventDefault()}
 		>

frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts

@@ -77,6 +77,19 @@ describe('MentionDropdown — search input', () => {
 		await expect.element(page.getByText(m.person_mention_search_prompt())).not.toBeInTheDocument();
 	});
 
+	it('"create new person" link has rel="noopener noreferrer" (CWE-116)', async () => {
+		render(MentionDropdown, {
+			model: makeModel([]),
+			editorQuery: 'unknown', // non-empty so the empty-state link renders
+			onSearch: () => {}
+		});
+
+		const link = document.querySelector('a[href="/persons/new"]') as HTMLAnchorElement;
+		expect(link).not.toBeNull();
+		expect(link.getAttribute('rel')).toContain('noopener');
+		expect(link.getAttribute('rel')).toContain('noreferrer');
+	});
+
 	it('search input wrapper meets the 44px touch target (WCAG 2.2 AA)', async () => {
 		render(MentionDropdown, {
 			model: makeModel(),