fix: Add CSRF exempt for analytics API endpoints

app.py

@@ -3100,6 +3100,7 @@ def api_notifications_unread_count():
 # ============================================================
 
 @app.route('/api/analytics/track', methods=['POST'])
+@csrf.exempt
 def api_analytics_track():
     """Track clicks and interactions from frontend"""
     data = request.get_json()
@@ -3157,6 +3158,7 @@ def api_analytics_track():
 
 
 @app.route('/api/analytics/heartbeat', methods=['POST'])
+@csrf.exempt
 def api_analytics_heartbeat():
     """Keep session alive and update duration"""
     analytics_session_id = session.get('analytics_session_id')