========================================
[Sun Feb  8 22:44:32 AEDT 2026] CC VPS triggered by Rivet
========================================

Task:
Fix CRITICAL bug: Missing CSRF protection on /api/messages/start route. This is the only state-changing POST endpoint without CSRF protection. Wrap the handler with withCSRFProtection(). Check how other protected routes implement this and apply the same pattern.
----------------------------------------

## ✅ CRITICAL Security Bug Fixed

**What I changed:**
- Added CSRF protection to `/api/messages/start` route using `withCSRFProtection()` wrapper
- Applied the same pattern used by other protected routes (`/api/payments/create`, `/api/ai/generate-profile`)

**Why this matters:**
This was the **only state-changing POST endpoint** without CSRF protection, creating a vulnerability where attackers could trick authenticated users into creating unwanted conversations.

**Changes made:**
1. Imported `withCSRFProtection` from `@/lib/csrf`
2. Converted the inline handler to a named function
3. Wrapped the export with `withCSRFProtection(handler)`

The app has been **built**, **restarted**, **committed**, and **pushed** to main.

----------------------------------------
[Sun Feb  8 22:46:27 AEDT 2026] Task finished (exit code: 0)
