fix(security): add auth, rate limiting, timing-safe compare, timeouts

[kwsantiago]

• Add authentication with ADMIN_TOKEN env var and Bearer token validation on all /api/* routes
• Add rate limiting (100 req/min) to main server and proxy (100/1000 req/min admin/data)
• Fix timing attack in token comparison by padding buffers before timingSafeEqual
• Add 30-second request timeouts to all proxy client fetch calls
• Add @fastify/helmet security headers to both servers
• Add Authorization header support to dashboard API calls