fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

Introduces `csrfFetch` (= `makeCsrfFetch(fetch)`) in cookies.ts as a
drop-in fetch replacement that auto-injects X-XSRF-TOKEN on POST/PUT/PATCH/DELETE.

Previously 8 call sites sent mutating requests without the CSRF header —
annotation resize, comment POST/PATCH/DELETE, Geschichte CRUD, Stammbaum
relationship creation, bulk-edit PATCH, and file upload — all would fail
with CSRF_TOKEN_MISSING if the backend's cookie-based protection triggered.

All 14 client-side mutating fetches now use csrfFetch; withCsrf/makeCsrfFetch
remain in the API for injectable-fetch use cases (e.g. useTranscriptionBlocks).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/document/DocumentEditLayout.svelte

@@ -13,6 +13,7 @@ import WhoWhenSection from '$lib/document/WhoWhenSection.svelte';
 import DescriptionSection from '$lib/document/DescriptionSection.svelte';
 import type { Tag } from '$lib/tag/TagInput.svelte';
 import type { components } from '$lib/generated/api';
+import { csrfFetch } from '$lib/shared/cookies';
 import type { DatePrecision } from '$lib/shared/utils/documentDate';
 
 type Person = components['schemas']['Person'];
@@ -86,7 +87,7 @@ async function handleFile(file: File) {
 	try {
 		const formData = new FormData();
 		formData.append('file', file);
-		const res = await fetch(`/api/documents/${doc.id}/file`, {
+		const res = await csrfFetch(`/api/documents/${doc.id}/file`, {
 			method: 'POST',
 			body: formData,
 			signal: controller.signal