Fix R01-N15: add noreferrer to external task URL link

Sprint URLs are guessable IDs; leaking them via Referer to attacker-
controlled t.url targets reveals that an internal sprint exists. Adding
noreferrer to the user-controlled task link in the task list closes
that small privacy leak. The same-origin /present link in show.twig is
unaffected (no external Referer leak there).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

views/sprints/_task_list.twig

@@ -210,7 +210,7 @@
                                     {% endif %}
 
                                     <a data-task-url-link href="{{ t.url }}"
-                                       target="_blank" rel="noopener"
+                                       target="_blank" rel="noopener noreferrer"
                                        class="task-url-link inline-flex items-center justify-center w-5 h-5 rounded text-blue-600 hover:bg-slate-100 dark:text-blue-400 dark:hover:bg-slate-700{% if t.url == '' %} hidden{% endif %}"
                                        title="Open task link"
                                        aria-label="Open task link">