fix(export): neutralize CSV/DDE formula injection in exported text

Exported journal notes and scraped event titles could begin with a formula
trigger (= + - @, tab, CR) that Excel/LibreOffice execute on open.
Csv.NeutralizeFormula apostrophe-prefixes such cells so they render as text;
applied to user notes, raw event ids and scraped titles. Numeric/date cells
the exporter formats itself stay numeric for downstream analysis.

tests/Marathon.Application.Tests/Export/CsvTests.cs

@@ -38,4 +38,32 @@ public sealed class CsvTests
             "Kelly,ok\r\n" +
             "\"Flat, fixed\",\"say \"\"hi\"\"\"\r\n");
     }
+
+    [Theory]
+    [InlineData("=cmd|'/c calc'!A1")]
+    [InlineData("+1+1")]
+    [InlineData("-2+3")]
+    [InlineData("@SUM(A1)")]
+    [InlineData("\ttab")]
+    [InlineData("\rcr")]
+    public void NeutralizeFormula_PrefixesLeadingFormulaTriggers(string dangerous)
+    {
+        Csv.NeutralizeFormula(dangerous).Should().Be("'" + dangerous);
+    }
+
+    [Theory]
+    [InlineData("Home vs Away")]
+    [InlineData("normal note")]
+    [InlineData("3-1 win")]
+    [InlineData("")]
+    public void NeutralizeFormula_LeavesSafeValuesUntouched(string safe)
+    {
+        Csv.NeutralizeFormula(safe).Should().Be(safe);
+    }
+
+    [Fact]
+    public void NeutralizeFormula_Null_IsEmpty()
+    {
+        Csv.NeutralizeFormula(null).Should().BeEmpty();
+    }
 }