Fix 16 HIGH/MEDIUM security bugs across API

HIGH fixes:
- TOTP disable now requires valid code verification
- TOTP secret removed from plaintext file storage
- Container ID validated before update/check-update/logs operations
- DNS server parameter restricted to configured servers (SSRF prevention)
- Backup export no longer includes encryption key
- Backup restore of sensitive files requires TOTP re-authentication

MEDIUM fixes:
- Session cookie Secure flag added
- Caddy reload errors no longer leaked to client
- saveConfig uses atomic locked updates via configStateManager
- Log file path traversal prevented via symlink resolution
- Credential cache entries now expire after 5 minutes
- _httpFetch enforces 10MB response size limit
- External URL path injection into Caddyfile blocked
- Custom volume host paths validated against allowed roots
- Error logs endpoint no longer returns stack traces
- Logo delete path traversal prevented via path.basename()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dashcaddy-api/routes/config/assets.js

@@ -166,10 +166,10 @@ module.exports = function(ctx) {
     const logoPaths = [config.customLogo, config.customLogoDark, config.customLogoLight].filter(Boolean);
     const seen = new Set();
     for (const logoPath of logoPaths) {
-      const filename = logoPath.replace('/assets/', '');
-      if (seen.has(filename)) continue;
+      const filename = path.basename(logoPath);
+      if (!filename || seen.has(filename)) continue;
       seen.add(filename);
-      const filePath = `${assetsPath}/${filename}`;
+      const filePath = path.join(assetsPath, filename);
       if (await exists(filePath)) {
         await fsp.unlink(filePath);
       }