fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

Introduces `csrfFetch` (= `makeCsrfFetch(fetch)`) in cookies.ts as a
drop-in fetch replacement that auto-injects X-XSRF-TOKEN on POST/PUT/PATCH/DELETE.

Previously 8 call sites sent mutating requests without the CSRF header —
annotation resize, comment POST/PATCH/DELETE, Geschichte CRUD, Stammbaum
relationship creation, bulk-edit PATCH, and file upload — all would fail
with CSRF_TOKEN_MISSING if the backend's cookie-based protection triggered.

All 14 client-side mutating fetches now use csrfFetch; withCsrf/makeCsrfFetch
remain in the API for injectable-fetch use cases (e.g. useTranscriptionBlocks).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/person/genealogy/StammbaumSidePanel.svelte

@@ -6,6 +6,7 @@ import { chipLabel, otherName, inferredRelationshipLabel } from '$lib/person/rel
 import AddRelationshipForm from '$lib/person/relationship/AddRelationshipForm.svelte';
 import type { RelFormData } from '$lib/person/relationship/AddRelationshipForm.svelte';
 import type { components } from '$lib/generated/api';
+import { csrfFetch } from '$lib/shared/cookies';
 
 type PersonNodeDTO = components['schemas']['PersonNodeDTO'];
 type RelationshipDTO = components['schemas']['RelationshipDTO'];
@@ -59,7 +60,7 @@ async function handleAddRelationship(data: RelFormData) {
 	};
 	if (data.fromYear !== undefined) body.fromYear = data.fromYear;
 	if (data.toYear !== undefined) body.toYear = data.toYear;
-	const res = await fetch(`/api/persons/${node.id}/relationships`, {
+	const res = await csrfFetch(`/api/persons/${node.id}/relationships`, {
 		method: 'POST',
 		headers: { 'Content-Type': 'application/json' },
 		body: JSON.stringify(body)