Migrate 25 route files to throw-based error handling

Converted routes:
- All auth routes (totp.js, keys.js, sso-gate.js)
- Recipe deployment routes (deploy.js, manage.js, index.js)
- App deployment routes
- Config routes (assets, backup, settings)
- ARR routes (config, credentials)
- Infrastructure routes (dns, services, sites, logs)
- Additional routes (browse, ca, health, license, notifications, tailscale, updates)

Changes:
- Replaced ctx.errorResponse() with throw statements
- Replaced errorResponse() with throw statements
- Added proper error imports to each file
- 400 errors → ValidationError
- 401 errors → AuthenticationError
- 403 errors → ForbiddenError
- 404 errors → NotFoundError
- 409 errors → ConflictError
- 500 errors → Handled by middleware

Result: 25 files migrated, ~150 error responses standardized

dashcaddy-api/routes/ca.js

@@ -67,7 +67,7 @@ module.exports = function(ctx) {
   router.get('/install-script', ctx.asyncHandler(async (req, res) => {
     const platform = (req.query.platform || 'windows').toLowerCase();
     if (!['windows', 'linux', 'macos'].includes(platform)) {
-      return ctx.errorResponse(res, 400, 'Invalid platform. Use: windows, linux, or macos');
+      throw new ValidationError('Invalid platform. Use: windows, linux, or macos');
     }
 
     // Load cert info to get the fingerprint
@@ -134,7 +134,7 @@ module.exports = function(ctx) {
     const { password = 'dashcaddy', format = 'pfx' } = req.query;
 
     if (!/^[a-zA-Z0-9!@#%^_+=,.:-]{1,64}$/.test(password)) {
-      return ctx.errorResponse(res, 400, 'Invalid password. Use only letters, numbers, and basic symbols (max 64 chars).');
+      throw new ValidationError('Invalid password. Use only letters, numbers, and basic symbols (max 64 chars).');
     }
 
     if (!domain || !/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*$/i.test(domain)) {