refactor: Clean Architecture mit Repository Pattern, Controllern und DTOs

- 15 Controller-Klassen ersetzen Minimal APIs in Program.cs
- Repository Pattern mit Interfaces + Implementierungen (Project, Task, Activity, User)
- AuthService verwendet jetzt IUserRepository statt direktem DbContext-Zugriff
- SecurityHeadersMiddleware als eigenständige Middleware-Klasse
- PathSecurityHelper als gemeinsamer Helper für Pfadvalidierung
- DTOs in eigenem Namespace Nexus.Api.DTOs
- EF-Entities in Nexus.Api.Data (vorher Nexus.Api.Domain)
- Program.cs auf DI-Registrierung + Middleware reduziert
- Alle 43 Endpoints unverändert erhalten
- Build + 3/3 Tests erfolgreich

backend/Middleware/SecurityHeadersMiddleware.cs

@@ -0,0 +1,27 @@
+namespace Nexus.Api.Middleware;
+
+public sealed class SecurityHeadersMiddleware(RequestDelegate next)
+{
+    public async Task InvokeAsync(HttpContext context)
+    {
+        var headers = context.Response.Headers;
+        var env = context.RequestServices.GetRequiredService<IHostEnvironment>();
+
+        if (!env.IsDevelopment())
+        {
+            headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains";
+        }
+        headers["X-Content-Type-Options"] = "nosniff";
+        headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";
+        headers["X-Frame-Options"] = "DENY";
+        headers["Referrer-Policy"] = "strict-origin-when-cross-origin";
+
+        await next(context);
+    }
+}
+
+public static class SecurityHeadersMiddlewareExtensions
+{
+    public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder builder)
+        => builder.UseMiddleware<SecurityHeadersMiddleware>();
+}