chore(auth): non-blocking follow-ups from final review

- /api/stats: add verifyCsrf middleware (defense-in-depth; no-op for GETs)
- VerifyEmailPage: useRef guard to prevent React StrictMode double-fire of
  the single-use verify token in dev
- router.tsx: route-level code splitting via React.lazy + Suspense; initial
  bundle drops from 397 KB to 224 KB with per-route chunks (0.3–14 KB each)
- e2e: wait for verify-email completion before login; bump Account-menu
  timeout to handle Vite cold-chunk compile

e2e/auth.spec.ts

@@ -26,12 +26,14 @@ test('admin invites user; user accepts and logs in', async ({ page }) => {
   await page.getByRole('button', { name: /Account aanmaken/ }).click();
   await expect(page.getByText(/bevestigingsmail/i)).toBeVisible();
   await page.goto(await fetchLink(adminEmail, 'verify-email'));
+  await expect(page.getByRole('link', { name: 'Naar inloggen' })).toBeVisible({ timeout: 10_000 });
 
   await page.goto('/login');
   await page.getByLabel(/E-mailadres/).fill(adminEmail);
   await page.getByLabel(/Wachtwoord/).fill(adminPw);
   await page.getByRole('button', { name: 'Inloggen' }).click();
-  await expect(page.getByRole('button', { name: 'Account menu' })).toBeVisible();
+  // Cold Vite chunks can take a few seconds to compile on the first run.
+  await expect(page.getByRole('button', { name: 'Account menu' })).toBeVisible({ timeout: 15_000 });
 
   await page.goto('/admin/users');
   const inviteeEmail = `invitee+${Date.now()}@example.com`;