refactor: comprehensive code review fixes and security hardening

Security:
- Add CSP headers for HTML reports (style-src 'unsafe-inline')
- Restrict origin validation to specific .kappa-d8e.workers.dev domain
- Add base64 size limit (100KB) for report data parameter
- Implement rejection sampling for unbiased password generation
- Add SQL LIKE pattern escaping for tech specs query
- Add security warning for plaintext password storage (TODO: encrypt)

Performance:
- Add Telegram API timeout (10s) with AbortController
- Fix rate limiter sorting by resetTime for proper cleanup
- Use centralized TIMEOUTS config for VPS provider APIs

Features:
- Add admin SSH key support for server recovery access
  - ADMIN_SSH_PUBLIC_KEY for Linode (public key string)
  - ADMIN_SSH_KEY_ID_VULTR for Vultr (pre-registered key ID)
- Add origin validation middleware
- Add idempotency key migration

Code Quality:
- Return 404 status when no servers found
- Consolidate error logging to single JSON.stringify call
- Import TECH_CATEGORY_WEIGHTS from config.ts
- Add escapeLikePattern utility function

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/services/vultr-provider.ts

@@ -5,6 +5,7 @@
 
 import type { VPSProviderConfig, CreateServerRequest, CreateServerResponse } from '../types';
 import { VPSProviderBase, OS_IMAGE_MAP } from './vps-provider';
+import { TIMEOUTS } from '../config';
 
 interface VultrInstance {
   id: string;
@@ -38,7 +39,7 @@ interface VultrError {
 export class VultrProvider extends VPSProviderBase {
   static readonly DEFAULT_BASE_URL = 'https://api.vultr.com/v2';
 
-  constructor(apiKey: string, baseUrl?: string, timeout: number = 30000) {
+  constructor(apiKey: string, baseUrl?: string, timeout: number = TIMEOUTS.VPS_PROVIDER_API_MS) {
     super({
       apiKey,
       baseUrl: baseUrl || VultrProvider.DEFAULT_BASE_URL,