fix(security): remediate 44 SonarQube vulnerabilities

[devin-ai-integration]

Summary

Remediates all 44 open SonarQube issues identified in the pre-scan across 23 files. Fixes span all severity levels (11 BLOCKER, 15 MAJOR, 18 MINOR) covering code quality, accessibility, security, and test correctness.

Fix Breakdown by Severity

Severity	Count	Rules
BLOCKER	11	S2699 (9 missing test assertions), S7651 (2 DOM event name collisions)
MAJOR	15	S2933 (8 readonly modifiers), S5914 (4 trivially-true assertions), S5254, S6850
MINOR	18	S7764 (4), S1874 (4), S5725 (2), ImgWithoutAltCheck (3), S7765, S7773, S7735 (2), MouseEventWithoutKeyboardEquivalentCheck

Key Changes

• S2699 / S5914 (BLOCKER/MAJOR): Added meaningful assertions to 9 test cases that had none, replaced 4 expect(true).toBe(true) with actual result checks
• S7651 (BLOCKER): Renamed @Output() toggle to favoriteToggle / followToggle to avoid collision with standard DOM toggle event; updated all template bindings
• S2933 (MAJOR): Added readonly to 8 class members that are never reassigned
• S7764 (MINOR): Replaced window.localStorage with globalThis.localStorage in jwt.service.ts; replaced window.__conduit_debug__ with globalThis.__conduit_debug__ in app.config.ts (updated type declaration accordingly)
• S1874 (MINOR): Replaced deprecated BrowserDynamicTestingModule / platformBrowserDynamicTesting with BrowserTestingModule / platformBrowserTesting in test-setup and all spec files
• S5254 (MAJOR): Added lang="en" to <html> element
• S6850 (MAJOR): Added screen-reader text to heading containing only an image
• ImgWithoutAltCheck (MINOR): Added alt attributes to 3 images (header, article comment, profile)
• S5725 (MINOR): Added crossorigin="anonymous" and converted protocol-relative URLs to HTTPS for CDN links
• S7765 / S7773 (MINOR): Replaced .indexOf() < 0 with !.includes(); replaced parseInt with Number.parseInt
• S7735 (MINOR): Refactored negated conditions in favorite-button and follow-button
• MouseEventWithoutKeyboardEquivalentCheck (MINOR): Added (keyup.enter) keyboard handler, tabindex, and role="button" to tag remove icon

Build Verification

• bun run build passes cleanly
• bun run format — no formatting issues
• Unit tests (bun run test) fail on main with pre-existing zone.js resolution error (not a dependency in package.json) — not caused by this PR

Review & Testing Checklist for Human

• Verify the @Output() rename from toggle to favoriteToggle/followToggle doesn't break any custom event bindings outside the changed templates
• Test favorite/unfavorite and follow/unfollow flows end-to-end to confirm the refactored condition logic (S7735) preserves behavior
• Confirm the globalThis usage works in all target browsers (should be fine for modern Angular apps)
• Review the BrowserTestingModule migration — ensure test infrastructure is compatible with Angular 21

Notes

• The 2 S5725 issues (resource integrity for CDN links) are addressed by adding crossorigin="anonymous" and converting to HTTPS. Full SRI hashes are impractical for Google Fonts (content varies by user-agent) and Ionicons (hash not published). These are security hotspot reviews rather than definitive vulnerabilities.
• Pre-existing test failures on main branch: all 6 spec files fail with zone.js import resolution error. This is an environment/dependency issue unrelated to this PR.

Link to Devin session: https://app.devin.ai/sessions/782940b10b794b14967f0559947272e8
Requested by: @SachetCognition

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring