This PR delivers a global security hardening pass across active modules (review, AMC, exam, results/statistics), and adds automated security checks to prevent regressions.

[KedroX]

Changes

• Enforced safer HTTP method policy for mutation endpoints:
  • Added @require_POST on high-risk write/process views in review, AMC, exam, results, and preparation flows touched in this branch.
  • Replaced GET-based mutation UI actions with CSRF-protected POST forms/buttons where needed.
• Strengthened file/archive safety:
  • Added secure ZIP extraction utility with traversal/symlink/size/count protections.
  • Replaced unsafe ZIP extraction call sites.
• Removed dynamic expression execution risk:
  • Replaced eval(...) usage for score/stat formula paths with a restricted safe evaluator.
• Hardened protected-file handling paths used by AMC/manual association flows.
• Added CI/local security automation:
  • GitHub workflow: .github/workflows/security-checks.yml
  • Local/CI script: scripts/security_check.sh
  • Guard checks:
    • scripts/check_require_post.py
    • scripts/check_forbidden_calls.py
  • Integrated Bandit + dependency audit (pip-audit) in CI.

Testing

• Local smoke tests performed on key flows:
  • Review settings/group actions
  • Exam scale/common actions
  • Results presence toggle and imports
  • AMC processing/manual association (including protected images)
• Static validation:
  • py_compile on modified security-related Python modules
  • Security guard scripts run locally (tooling-dependent parts run in CI)

Known Follow-up (Out of Scope)

• Preparation authorization/object-scoping hardening (@exam_permission_required + strict exam-scoped lookups) will be handled in a separate branch.

Checklist

• Code follows style guidelines
• Tests/checks added or updated (security checks + CI workflow)
• No secrets or sensitive data included