fix: bump rate limits 50/500, catch empty Mistral responses

fix: voice accumulates across auto-restarts + rate limit 30/200 per day

fix: backend audit — rate limits, prompt restructure, security, cleanup

security: harden backend — session secret, auth, SSRF, rate limits, timeouts

fix: bump rate limit to 10/day unauth, 20/day auth

fix: switch to gemini-2.5-flash, use X-Forwarded-For for rate limiting behind proxy

feat: rate limiting, Cloudflare Turnstile captcha, daily token budget