Harden backend against critical and high security vulnerabilities

- Fix WebSocket CheckOrigin to use proper url.Parse instead of string stripping
- Add admin auth checks to Users/User GraphQL queries
- Remove GraphQL GET transport to prevent CSRF via cross-site links
- Add application-level IP-based login rate limiting (5 attempts/min)
- Add path traversal bounds check on radio file upload
- Require DEV_MODE for GraphQL introspection and playground
- Move notes backend endpoint behind admin middleware
- Add dedicated Nginx rate limit zone for GraphQL (10r/s)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/graph/schema.resolvers.go

@@ -25,6 +25,10 @@ func (r *mutationResolver) Login(ctx context.Context, input model.LoginInput) (*
 		return nil, fmt.Errorf("could not get gin context")
 	}
 
+	if !r.Store.LoginLimiter.Allow(gc.ClientIP()) {
+		return nil, fmt.Errorf("too many login attempts, please try again later")
+	}
+
 	var user models.User
 	if err := r.Store.DB.Where("username = ?", input.Username).First(&user).Error; err != nil {
 		return nil, fmt.Errorf("invalid credentials")
@@ -446,6 +450,9 @@ func (r *mutationResolver) DeleteJobAppReference(ctx context.Context, id int) (b
 
 // Users is the resolver for the users field.
 func (r *queryResolver) Users(ctx context.Context) ([]*models.User, error) {
+	if !IsAdminFromCtx(ctx) {
+		return nil, fmt.Errorf("admin access required")
+	}
 	var users []models.User
 	if err := r.Store.DB.Find(&users).Error; err != nil {
 		return nil, err
@@ -459,6 +466,9 @@ func (r *queryResolver) Users(ctx context.Context) ([]*models.User, error) {
 
 // User is the resolver for the user field.
 func (r *queryResolver) User(ctx context.Context, id int) (*models.User, error) {
+	if !IsAdminFromCtx(ctx) {
+		return nil, fmt.Errorf("admin access required")
+	}
 	var user models.User
 	if err := r.Store.DB.First(&user, id).Error; err != nil {
 		return nil, fmt.Errorf("user not found")