Fix 16 HIGH/MEDIUM security bugs across API

HIGH fixes:
- TOTP disable now requires valid code verification
- TOTP secret removed from plaintext file storage
- Container ID validated before update/check-update/logs operations
- DNS server parameter restricted to configured servers (SSRF prevention)
- Backup export no longer includes encryption key
- Backup restore of sensitive files requires TOTP re-authentication

MEDIUM fixes:
- Session cookie Secure flag added
- Caddy reload errors no longer leaked to client
- saveConfig uses atomic locked updates via configStateManager
- Log file path traversal prevented via symlink resolution
- Credential cache entries now expire after 5 minutes
- _httpFetch enforces 10MB response size limit
- External URL path injection into Caddyfile blocked
- Custom volume host paths validated against allowed roots
- Error logs endpoint no longer returns stack traces
- Logo delete path traversal prevented via path.basename()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dashcaddy-api/routes/auth/totp.js

@@ -66,7 +66,6 @@ module.exports = function(ctx) {
 
     ctx.totpConfig.isSetUp = true;
     ctx.totpConfig.enabled = true;
-    ctx.totpConfig.secret = pendingSecret; // Persist to file for auto-restore
     if (ctx.totpConfig.sessionDuration === 'never') {
       ctx.totpConfig.sessionDuration = '24h';
     }
@@ -132,7 +131,11 @@ module.exports = function(ctx) {
   router.post('/totp/disable', ctx.asyncHandler(async (req, res) => {
     const { code } = req.body;
 
-    if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp && code) {
+    // Always require a valid TOTP code when TOTP is active
+    if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp) {
+      if (!code || !/^\d{6}$/.test(code)) {
+        return ctx.errorResponse(res, 400, 'A valid TOTP code is required to disable TOTP');
+      }
       const { authenticator } = require('otplib');
       const secret = await ctx.credentialManager.retrieve('totp.secret');
       if (secret) {