Implement critical security fixes and enhancements

## Security Fixes (Critical)

### 1. Settings file race condition fixed
- Added atomic write operation using temp file + os.replace()
- Prevents corruption if process crashes during settings save
- Uses proper cleanup on failure

### 2. CSV quoting protection implemented
- Added csv.QUOTE_MINIMAL to all CSV DictWriter operations
- Optimal efficiency while maintaining security
- Proper handling of special characters (quotes, commas, newlines)

### 3. Complete CSV field sanitization
- Fixed critical Date field sanitization gap
- Created specialized sanitize_date_text() preserving YYYY-MM-DD format
- All 7 CSV fields now properly sanitized before writing
- Added comprehensive input validation for user input vectors

## New Security Functions
- sanitize_csv_text(): Removes dangerous characters (=,+, -, @)
- sanitize_date_text(): Preserves date format while removing injection attempts
- sanitize_filename(): Path traversal protection
- sanitize_config_text(): JSON/configuration safety
- validate_input(): Centralized input validation with type-specific logic

## Enhanced Features
- Alternating row colors for visual time slot distinction
- Improved conflict resolution with clearer UI indicators
- Enhanced CSV error handling with line numbering

## Testing & Documentation
- Added comprehensive test suites (5 new test files)
- Created AGENTS.md development guide
- Updated TODO.md with staged improvement roadmap
- All tests passing with 100% backward compatibility

## Files Modified
- time_tracker.py: +280 lines (security functions + atomic operations)
- tests/: New security and feature test suites
- .gitignore: Updated to include documentation and tests

All critical vulnerabilities resolved while maintaining full functionality.

AGENTS.md

@@ -0,0 +1,48 @@
+# AGENTS.md - Time Tracker Development Guide
+
+## Build/Test Commands
+
+- **Run main application**: `python time_tracker.py`
+- **Run single test**: `python tests/test_mark_logic.py` or `python tests/test_mark_billed.py`
+- **Clean archive data**: `python tests/clean_archive.py`
+
+## Code Style Guidelines
+
+### Imports & Structure
+- Standard library imports first (os, json, csv, datetime, collections)
+- Third-party imports next (tkinter, ttk, messagebox, filedialog)
+- Group related imports together
+- Use absolute imports consistently
+
+### Naming Conventions
+- **Classes**: PascalCase (e.g., `ClickableCell`, `TimeTracker`)
+- **Functions/Methods**: snake_case (e.g., `load_settings`, `update_day_total`)
+- **Variables**: snake_case (e.g., `time_cells`, `data_rows`)
+- **Constants**: UPPER_SNAKE_CASE (e.g., `drag_info` global dict)
+- **Private methods**: prefix with underscore (e.g., `_refresh_dropdowns`)
+
+### Error Handling
+- Use try/except blocks for file operations
+- Show user-friendly messages via `messagebox.showerror()` or `messagebox.showwarning()`
+- Log errors with context but never expose sensitive data
+- Gracefully handle missing files and directories
+
+### GUI Patterns
+- Use `ttk.Combobox` for dropdowns with `state="readonly"`
+- Frame-based layout with grid/pack geometry managers
+- Bind events consistently (`<Button-1>`, `<B1-Motion>`, `<ButtonRelease-1>`)
+- Separate data models from UI presentation
+- Use consistent widget naming: `*_var` for StringVar/IntVar, `*_frame` for containers
+
+### Data Handling
+- CSV files use UTF-8 encoding
+- Store settings in `~/.config/time-tracker.json` (UNIX-compliant)
+- Use `defaultdict` for pivot table operations
+- Validate user input before processing
+- Archive format: `['Job', 'TaskName', 'Note', 'Customer', 'Hours', 'Date', 'username', 'Billable', 'Billed']`
+
+### Testing
+- Test files in `tests/` directory with `test_` prefix
+- Create sample data fixtures for consistent testing
+- Test logic separately from UI components
+- Verify both success and failure scenarios