feat(frontend): add CSRF injection, rate-limit i18n, and 429 login handling

- handleFetch injects X-XSRF-TOKEN + XSRF-TOKEN cookie on all mutating
  backend API requests (double-submit cookie pattern); generates a fresh
  UUID when no XSRF-TOKEN cookie exists yet
- ErrorCode union gains CSRF_TOKEN_MISSING and TOO_MANY_LOGIN_ATTEMPTS;
  getErrorMessage maps both to i18n keys
- de/en/es messages add error_csrf_token_missing and
  error_too_many_login_attempts translations
- Login action maps HTTP 429 to fail(429, { ..., rateLimited: true });
  page shows a muted clock icon with aria-invalid on rate-limit errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/shared/errors.ts

@@ -49,6 +49,8 @@ export type ErrorCode =
 	| 'MISSING_CREDENTIALS'
 	| 'UNAUTHORIZED'
 	| 'FORBIDDEN'
+	| 'CSRF_TOKEN_MISSING'
+	| 'TOO_MANY_LOGIN_ATTEMPTS'
 	| 'VALIDATION_ERROR'
 	| 'BATCH_TOO_LARGE'
 	| 'BULK_EDIT_TOO_MANY_IDS'
@@ -166,6 +168,10 @@ export function getErrorMessage(code: ErrorCode | string | undefined): string {
 			return m.error_unauthorized();
 		case 'FORBIDDEN':
 			return m.error_forbidden();
+		case 'CSRF_TOKEN_MISSING':
+			return m.error_csrf_token_missing();
+		case 'TOO_MANY_LOGIN_ATTEMPTS':
+			return m.error_too_many_login_attempts();
 		case 'VALIDATION_ERROR':
 			return m.error_validation_error();
 		case 'BATCH_TOO_LARGE':