Add import-linter boundary to forbid routers importing app.dependencies

Issue #51: Enforce repository boundary at CI level using import-linter.
Contract 'forbid_router_db_import' checks that app.routers never imports
app.dependencies directly, keeping the DB access path through service
contexts only.

- Add import-linter>=2.0.0 to dev dependencies (backend/pyproject.toml)
- Configure [tool.importlinter] with package_root and root_packages
- Add [[tool.importlinter.contracts]] with type='forbidden', source
  app.routers, forbidden app.dependencies
- Add 'Import Boundary' CI job (import-linter)
- Document import-linter in CONTRIBUTING.md code quality table

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/pyproject.toml

@@ -31,6 +31,7 @@ dev = [
     "mypy>=1.13.0",
     "pytest-cov>=6.0.0",
     "pytest-mock>=3.14.0",
+    "import-linter>=2.0.0",
 ]
 
 [tool.hatch.build.targets.wheel]
@@ -64,3 +65,13 @@ pythonpath = [".", "../fail2ban-master"]
 testpaths = ["tests"]
 addopts = "--asyncio-mode=auto --cov=app --cov-report=term-missing"
 filterwarnings = ["ignore::pytest.PytestRemovedIn9Warning"]
+
+[tool.importlinter]
+package_root = "app"
+root_packages = ["app"]
+
+[[tool.importlinter.contracts]]
+name = "forbid_router_db_import"
+type = "forbidden"
+source_modules = ["app.routers"]
+forbidden_modules = ["app.dependencies"]