Previously, when CSRF validation failed and the path wasn't in the exempt
list, the middleware called call_next() to execute the endpoint BEFORE
checking the @csrf_exempt decorator. This caused side effects (DB writes,
API calls, etc.) to occur on protected endpoints even when CSRF validation
failed.
Now the middleware resolves the route endpoint by walking the FastAPI/
Starlette router WITHOUT executing it, checks @csrf_exempt, and only
then either allows the request through or returns 403.
- Add _resolve_endpoint() method to walk middleware chain and match routes
- Remove call_next() before @csrf_exempt check (5 lines deleted)
- Add regression test proving endpoints don't execute before CSRF check
- Add test confirming @csrf_exempt endpoints still execute normally
