feat: complete all 15 next recommendations

Frontend wiring:
- Wire useMarkdownWorker into Markdown component (worker-first, sync fallback)
- Wire useIndexedDB as primary storage in useChatHistory (500 msg cap, localStorage fallback)

Backend depth:
- Persistent audit store (SQLite, thread-safe, WAL mode) with record/query/filter
- Wire audit store into session routes (session.create, prompt.submit events)
- Wire audit store into audit export routes (persistent-first, telemetry fallback)
- CSRF double-submit cookie pattern (token generation, cookie set, header validation)

Production:
- Helm chart CI: helm lint + helm template validation
- Database migration CI: verify step in pipeline
- Prometheus alerting rules (error rate, latency, pod restarts, memory, CPU, queue, health)
- Rate limiting per API key (3x IP limit, sliding window, advisory)
- WebSocket SSE fallback (auto-downgrade after MAX_RETRIES WS failures)

Tests: 605 Python + 56 frontend = 661 total, 0 ruff errors
Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>

tests/test_audit_store.py

@@ -0,0 +1,58 @@
+"""Tests for persistent audit event storage."""
+
+import time
+
+from fusionagi.api.audit_store import get_audit_count, get_audit_events, record_audit_event
+
+
+def test_record_and_retrieve(tmp_path, monkeypatch):
+    """Should record and retrieve audit events."""
+    monkeypatch.setenv("FUSIONAGI_AUDIT_DB", str(tmp_path / "test_audit.db"))
+    # Reset connection
+    import fusionagi.api.audit_store as mod
+    mod._conn = None
+
+    eid = record_audit_event("test.action", actor="user1", resource_type="session", resource_id="s1")
+    assert eid > 0
+
+    events = get_audit_events(limit=10)
+    assert len(events) >= 1
+    assert events[0]["action"] == "test.action"
+    assert events[0]["actor"] == "user1"
+
+
+def test_filter_by_action(tmp_path, monkeypatch):
+    """Should filter events by action."""
+    monkeypatch.setenv("FUSIONAGI_AUDIT_DB", str(tmp_path / "test_audit2.db"))
+    import fusionagi.api.audit_store as mod
+    mod._conn = None
+
+    record_audit_event("session.create")
+    record_audit_event("prompt.submit")
+    record_audit_event("session.create")
+
+    events = get_audit_events(action="session.create")
+    assert all(e["action"] == "session.create" for e in events)
+
+
+def test_filter_by_since(tmp_path, monkeypatch):
+    """Should filter events by timestamp."""
+    monkeypatch.setenv("FUSIONAGI_AUDIT_DB", str(tmp_path / "test_audit3.db"))
+    import fusionagi.api.audit_store as mod
+    mod._conn = None
+
+    record_audit_event("old.event")
+    future = time.time() + 1000
+    events = get_audit_events(since=future)
+    assert len(events) == 0
+
+
+def test_count(tmp_path, monkeypatch):
+    """Should return total count."""
+    monkeypatch.setenv("FUSIONAGI_AUDIT_DB", str(tmp_path / "test_audit4.db"))
+    import fusionagi.api.audit_store as mod
+    mod._conn = None
+
+    record_audit_event("count.test")
+    record_audit_event("count.test")
+    assert get_audit_count() >= 2

tests/test_csrf_token.py

@@ -0,0 +1,28 @@
+"""Tests for CSRF token generation and double-submit cookie pattern."""
+
+from fusionagi.api.security import (
+    CSRF_COOKIE_NAME,
+    CSRF_HEADER_NAME,
+    CSRF_TOKEN_LENGTH,
+    generate_csrf_token,
+)
+
+
+def test_generate_csrf_token_length():
+    """Token should be URL-safe and reasonable length."""
+    token = generate_csrf_token()
+    assert len(token) > 20
+    assert all(c.isalnum() or c in "-_" for c in token)
+
+
+def test_generate_csrf_token_uniqueness():
+    """Each token should be unique."""
+    tokens = {generate_csrf_token() for _ in range(100)}
+    assert len(tokens) == 100
+
+
+def test_csrf_constants():
+    """CSRF constants should be set."""
+    assert CSRF_COOKIE_NAME == "fusionagi_csrf"
+    assert CSRF_HEADER_NAME == "x-csrf-token"
+    assert CSRF_TOKEN_LENGTH == 32