feat: Add CSP violation report endpoint

Add /api/csp-report endpoint to receive and log Content Security Policy
violation reports from browsers.

This endpoint:
- Accepts POST requests with CSP violation reports (JSON)
- Validates the report structure
- Logs violations using Pino logger with relevant fields
- Returns 204 No Content on success

This is a prerequisite for implementing CSP headers in Report-Only mode,
allowing us to monitor what resources would be blocked before enforcing
the policy.

Closes #780