Observability, security hardening, and image uploads on the server

A foundational pass on the server side:

• Observability: structured logging on all /api/db endpoints with request-id correlation, plus a per-route latency histogram surfaced in the dashboard.
• Security hardening: rate limits on auth endpoints, stricter CORS, security headers (CSP, HSTS, X-Content-Type-Options) applied uniformly across all three apps.
• Image uploads to R2: typed buffer-based upload helper with content-hashed object keys and a sharp-based optimisation pass before upload.

None of this is glamorous user-facing work but it is the floor everything else stands on.