feat: comprehensive codebase improvements from audit

Architecture:
- Split server.rs (4,727 LOC) into 11 focused modules
- Add typed EventChannels (jobs/config/system) with appropriate capacities
- Add database query timeouts (5s on critical queries)
- Add graceful shutdown with signal handling

API:
- Add API versioning (/api/v1/) with backwards-compatible aliases
- Add X-Request-Id header for request tracing
- Create OpenAPI spec (docs/openapi.yaml)

Security:
- Add security headers middleware (CSP, X-Frame-Options, etc.)
- Add HSTS header (config-gated via https_only setting)
- Add config file permission check on Unix
- Fix path traversal vulnerability in file browser
- Add symlink detection in file browser

Frontend:
- Handle SSE lagged events with toast notification
- Clean up banned CSS patterns in components
- Add warning toast variant

Testing & Docs:
- Add FFmpeg integration tests with fixtures
- Expand documentation site (9 new pages)
- Pin MSRV to 1.85 in Cargo.toml

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

src/config.rs

@@ -456,6 +456,9 @@ pub struct SystemConfig {
     pub log_retention_days: Option<u32>,
     #[serde(default)]
     pub engine_mode: EngineMode,
+    /// Enable HSTS header (only enable if running behind HTTPS)
+    #[serde(default)]
+    pub https_only: bool,
 }
 
 fn default_true() -> bool {
@@ -481,6 +484,7 @@ impl Default for SystemConfig {
             enable_telemetry: default_telemetry(),
             log_retention_days: default_log_retention_days(),
             engine_mode: EngineMode::default(),
+            https_only: false,
         }
     }
 }
@@ -595,6 +599,7 @@ impl Default for Config {
                 enable_telemetry: default_telemetry(),
                 log_retention_days: default_log_retention_days(),
                 engine_mode: EngineMode::default(),
+                https_only: false,
             },
         }
     }