feat: reject common passwords in SetupRequest

- Add ~75 common plaintext passwords to setup.py validator
- Check case-insensitively; passes complexity but blocked
- Add tests: reject common, accept unique, short common fail on length
- Update Security.md docs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Docs/Security.md

@@ -88,6 +88,7 @@ See `backend/app/middleware/csrf.py` and `backend/app/middleware/rate_limit.py`
 - Passwords are hashed with SHA256 on the frontend before transmission
 - The backend never stores plain-text passwords
 - See `backend/app/services/auth.py` for authentication implementation
+- **Common password prevention:** The setup validator rejects a list of ~75 common plaintext passwords that pass structural complexity checks (e.g., `Password1!`). The list is embedded in `backend/app/models/setup.py` and is checked case-insensitively.
 
 ---
 

Docs/Tasks.md

@@ -1,39 +1,3 @@
-### Issue #30: LOW-MEDIUM - IPv4-Mapped IPv6 Address Duplicates
-
-**Where found**: 
-- `backend/app/utils/ip_utils.py`
-- Treats "192.168.1.1" and "::ffff:192.168.1.1" as different IPs
-
-**Why this is needed**: 
-Same IP can be banned twice in different formats, causing:
-- Duplicate ban logs
-- Geo cache duplicates
-- Analytics skewed
-
-**Goal**: 
-Normalize IP addresses to canonical form.
-
-**What to do**:
-1. Add normalization:
-   ```python
-   def normalize_ip(ip_str: str) -> str:
-       ip = ipaddress.ip_address(ip_str)
-       # Convert IPv4-mapped IPv6 to IPv4
-       if isinstance(ip, ipaddress.IPv6Address) and ip.ipv4_mapped:
-           return str(ip.ipv4_mapped)
-       return str(ip)
-   ```
-2. Apply on all IP inputs (ban, import, etc.)
-3. Test with various formats
-
-**Docs changes needed**:
-- Document IP normalization
-
-**Doc references**:
-- DETAILED_FINDINGS.md - Issue #22 "IPv4-Mapped IPv6"
-
----
-
 ### Issue #31: LOW-MEDIUM - Weak Master Password Validation
 
 **Where found**: