fix: add panic recovery, rate limiting, timing-safe CI token

- Add Recovery middleware (catches panics, returns 500, logs stack trace)
- Add RateLimiter to middleware chain (30 req/min, burst 60 per IP)
- Fix CI token comparison with subtle.ConstantTimeCompare (timing attack)
- Middleware chain: Recovery → Logging → RateLimit → CORS → mux

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/server/main.go

@@ -67,10 +67,13 @@ func main() {
 	templatesHandler := templates.NewHandler(db, cfg)
 	templatesHandler.RegisterRoutes(mux)
 
-	// Wrapper chain: Logging → CORS → mux.
+	// Wrapper chain: Recovery → Logging → RateLimit → CORS → mux.
+	// Recovery must be outermost so it catches panics in all inner layers.
 	var handler http.Handler = mux
 	handler = middleware.CORS(handler)
+	handler = middleware.NewRateLimiter(30, time.Minute, 60).Limit(handler)
 	handler = middleware.Logging(handler)
+	handler = middleware.Recovery(handler)
 
 	addr := ":" + itoa(cfg.Port)
 	srv := &http.Server{