fix: implement security severity policy and enhance CodeQL checks for blocking findings

.github/workflows/quality-checks.yml

@@ -18,6 +18,27 @@ env:
   GOTOOLCHAIN: auto
 
 jobs:
+  auth-route-protection-contract:
+    name: Auth Route Protection Contract
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.sha }}
+
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: backend/go.sum
+
+      - name: Run auth protection contract tests
+        run: |
+          set -euo pipefail
+          cd backend
+          go test ./internal/api/routes -run 'TestRegister_StateChangingRoutesRequireAuthentication|TestRegister_StateChangingRoutesDenyByDefaultWithExplicitAllowlist|TestRegister_AuthenticatedRoutes' -count=1 -v
+
   codecov-trigger-parity-guard:
     name: Codecov Trigger/Comment Parity Guard
     runs-on: ubuntu-latest