fix(api): change import type to value imports for DTOs in controllers

apps/api/src/common/guards/csrf.guard.ts

@@ -111,9 +111,14 @@ export class CsrfGuard implements CanActivate {
 
         throw new ForbiddenException("CSRF token not bound to session");
       }
+    } else {
+      this.logger.debug({
+        event: "CSRF_SKIP_SESSION_BINDING",
+        method: request.method,
+        path: request.path,
+        reason: "User context not yet available (global guard runs before AuthGuard)",
+      });
     }
-    // Note: when userId is absent, the double-submit cookie check above is
-    // sufficient CSRF protection. AuthGuard populates request.user afterward.
 
     return true;
   }