Security hardening: fix critical, high, and medium issues from audit

CRITICAL:
- A-001: SQL injection in snapshot — escape single quotes in backup path
- A-002: Timing attack — always verify against dummy hash when user not
  found, preventing username enumeration
- A-003: Notebook ownership — all authenticated endpoints now verify
  user_id before loading notebook data
- A-004: Point data bounds — decodePoints returns error on misaligned
  data, >4MB payloads, and NaN/Inf values

HIGH:
- A-005: Error messages — generic errors in HTTP responses, no err.Error()
- A-006: Share link authz — RevokeShareLink verifies notebook ownership
- A-007: Scan errors — return 500 instead of silently continuing

MEDIUM:
- A-008: Web server TLS — optional TLS support (HTTPS when configured)
- A-009: Input validation — page_size, stroke count, point_data alignment
  checked in SyncNotebook RPC
- A-010: Graceful shutdown — 30s drain on SIGINT/SIGTERM, all servers
  shut down properly

Added AUDIT.md with all 17 findings, status, and rationale for
accepted risks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/server.go

@@ -18,13 +18,16 @@ type Config struct {
 	BaseURL string
 }
 
-func Start(cfg Config) error {
+// Start creates and starts the REST API server. It returns the *http.Server
+// so the caller can manage graceful shutdown. The server runs in a background
+// goroutine.
+func Start(cfg Config) (*http.Server, error) {
 	r := chi.NewRouter()
 	RegisterRoutes(r, cfg.DB, cfg.BaseURL)
 
 	tlsCert, err := tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
 	if err != nil {
-		return fmt.Errorf("load TLS cert: %w", err)
+		return nil, fmt.Errorf("load TLS cert: %w", err)
 	}
 
 	srv := &http.Server{
@@ -40,5 +43,7 @@ func Start(cfg Config) error {
 	}
 
 	fmt.Printf("REST API listening on %s\n", cfg.Addr)
-	return srv.ListenAndServeTLS("", "")
+	go func() { _ = srv.ListenAndServeTLS("", "") }()
+
+	return srv, nil
 }