fix(lint): resolve 20 gocritic, eslint, and type safety issues

Backend (Go):
- Add named return parameters for improved readability
- Modernize octal literals (0755 → 0o755, 0644 → 0o644)
- Replace nil with http.NoBody in test requests (3 instances)
- Add error handling for rows.Close() in test helper
- Close HTTP response bodies in network tests (3 instances)

Frontend (React/TypeScript):
- Add Fast Refresh export suppressions for UI components
- Replace 'any' types with proper TypeScript types (6 instances)
- Add missing useEffect dependency (calculateScore)
- Remove unused variable in Playwright test

Testing:
- Backend coverage: 87.3% (threshold: 85%)
- Frontend coverage: 87.75% (threshold: 85%)
- All tests passing with race detection
- Zero type errors

Security:
- CodeQL scans: Zero HIGH/CRITICAL findings
- Trivy scan: Zero vulnerabilities
- Pre-commit hooks: All passing

backend/internal/network/safeclient_test.go

@@ -225,8 +225,9 @@ func TestNewSafeHTTPClient_BlocksSSRF(t *testing.T) {
 
 	for _, url := range urls {
 		t.Run(url, func(t *testing.T) {
-			_, err := client.Get(url)
+			resp, err := client.Get(url)
 			if err == nil {
+				defer resp.Body.Close()
 				t.Errorf("expected request to %s to be blocked", url)
 			}
 		})
@@ -251,8 +252,9 @@ func TestNewSafeHTTPClient_WithMaxRedirects(t *testing.T) {
 		WithMaxRedirects(2),
 	)
 
-	_, err := client.Get(server.URL)
+	resp, err := client.Get(server.URL)
 	if err == nil {
+		defer resp.Body.Close()
 		t.Error("expected redirect limit to be enforced")
 	}
 }
@@ -635,8 +637,9 @@ func TestNewSafeHTTPClient_RedirectToPrivateIP(t *testing.T) {
 	)
 
 	// Make request - should fail when trying to follow redirect to private IP
-	_, err := client.Get(server.URL)
+	resp, err := client.Get(server.URL)
 	if err == nil {
+		defer resp.Body.Close()
 		t.Error("expected error when redirect targets private IP")
 	}
 }