csrf implemented

src/app.rs

@@ -68,6 +68,12 @@ impl Hooks for App {
             .layer(axum::middleware::from_fn_with_state(
                 ctx.clone(),
                 crate::shared::rbac::inject_subject,
+            ))
+            // CSRF runs outermost so it validates the double-submit token before
+            // any handler sees the request and stamps the cookie on safe ones.
+            .layer(axum::middleware::from_fn_with_state(
+                ctx.clone(),
+                crate::shared::csrf::protect,
             )))
     }