feat: implement 15 production items (SSE, security, observability, features, infra)

Performance:
- SSE dashboard streaming endpoint (GET /v1/admin/status/stream)
- Web Worker for markdown rendering (offload from main thread)
- IndexedDB chat persistence (replace localStorage, 500msg support)

Security:
- CSRF protection middleware (Origin/Referer validation)
- Content Security Policy + security headers middleware
- API key rotation endpoint (POST /v1/admin/keys/rotate)

Observability:
- OpenTelemetry tracing with graceful NoOp fallback
- Structured error codes (FAGI-xxxx taxonomy with ErrorResponse schema)
- Audit log export (CSV + JSON at /v1/admin/audit/export/*)

Features:
- Multi-session management hook (parallel conversations)
- Conversation export (markdown/JSON/text download + clipboard)
- Head customization UI (enable/disable + weight sliders for 12 heads)

Infrastructure:
- Kubernetes Helm chart (Deployment, Service, HPA, Ingress)
- Database migration versioning (generate, verify commands)
- Blue-green deployment manifests (color-based traffic switching)

Tests: 598 Python + 56 frontend = 654 total, 0 ruff errors
Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>

tests/test_security_middleware.py

@@ -0,0 +1,17 @@
+"""Tests for CSRF and CSP security middleware."""
+
+from fusionagi.api.security import get_csp_middleware, get_csrf_middleware
+
+
+def test_csrf_middleware_class():
+    """CSRF middleware should be a valid class."""
+    cls = get_csrf_middleware()
+    assert cls is not None
+    assert cls.__name__ == "CSRFMiddleware"
+
+
+def test_csp_middleware_class():
+    """CSP middleware should be a valid class."""
+    cls = get_csp_middleware()
+    assert cls is not None
+    assert cls.__name__ == "CSPMiddleware"