fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

Introduces `csrfFetch` (= `makeCsrfFetch(fetch)`) in cookies.ts as a
drop-in fetch replacement that auto-injects X-XSRF-TOKEN on POST/PUT/PATCH/DELETE.

Previously 8 call sites sent mutating requests without the CSRF header —
annotation resize, comment POST/PATCH/DELETE, Geschichte CRUD, Stammbaum
relationship creation, bulk-edit PATCH, and file upload — all would fail
with CSRF_TOKEN_MISSING if the backend's cookie-based protection triggered.

All 14 client-side mutating fetches now use csrfFetch; withCsrf/makeCsrfFetch
remain in the API for injectable-fetch use cases (e.g. useTranscriptionBlocks).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/document/viewer/PdfViewer.svelte

@@ -6,6 +6,7 @@ import AnnotationLayer from '$lib/document/annotation/AnnotationLayer.svelte';
 import type { Annotation } from '$lib/shared/types';
 import { m } from '$lib/paraglide/messages.js';
 import { parseBackendError, getErrorMessage } from '$lib/shared/errors';
+import { csrfFetch } from '$lib/shared/cookies';
 
 type DrawRect = { x: number; y: number; width: number; height: number; pageNumber: number };
 
@@ -132,7 +133,7 @@ async function updateAnnotation(
 	coords: { x: number; y: number; width: number; height: number }
 ) {
 	if (!documentId) return;
-	const res = await fetch(`/api/documents/${documentId}/annotations/${annotationId}`, {
+	const res = await csrfFetch(`/api/documents/${documentId}/annotations/${annotationId}`, {
 		method: 'PATCH',
 		headers: { 'Content-Type': 'application/json' },
 		body: JSON.stringify(coords)