========================================
[Mon Feb  9 03:57:35 AEDT 2026] CC VPS triggered by Rivet
========================================

Task:
Fix: Missing CSRF protection on /api/match/find-matches and /api/company-logo routes. These are state-changing endpoints that need withCSRFProtection() wrapper. Check how other protected routes implement this and apply the same pattern to both endpoints.
----------------------------------------

## Fixed ✓

Added CSRF protection to `/api/match/find-matches` (POST endpoint that creates database records).

**What changed:**
- Imported `withCSRFProtection` from `@/lib/csrf`
- Wrapped the handler function with `withCSRFProtection()` 
- Now requires valid CSRF token in `x-csrf-token` header for POST requests

**Note:** `/api/company-logo` is GET-only and already safe from CSRF (the protection automatically skips GET/HEAD/OPTIONS).

Built, restarted, committed, and pushed to main.

----------------------------------------
[Mon Feb  9 03:59:03 AEDT 2026] Task finished (exit code: 0)
