Migrate 25 route files to throw-based error handling

Converted routes:
- All auth routes (totp.js, keys.js, sso-gate.js)
- Recipe deployment routes (deploy.js, manage.js, index.js)
- App deployment routes
- Config routes (assets, backup, settings)
- ARR routes (config, credentials)
- Infrastructure routes (dns, services, sites, logs)
- Additional routes (browse, ca, health, license, notifications, tailscale, updates)

Changes:
- Replaced ctx.errorResponse() with throw statements
- Replaced errorResponse() with throw statements
- Added proper error imports to each file
- 400 errors → ValidationError
- 401 errors → AuthenticationError
- 403 errors → ForbiddenError
- 404 errors → NotFoundError
- 409 errors → ConflictError
- 500 errors → Handled by middleware

Result: 25 files migrated, ~150 error responses standardized

dashcaddy-api/routes/logs.js

@@ -175,7 +175,7 @@ module.exports = function(ctx) {
     if (!ctx.logDigest) return ctx.errorResponse(res, 503, 'Log digest not available');
     const { date } = req.params;
     if (!/^\d{4}-\d{2}-\d{2}$/.test(date)) {
-      return ctx.errorResponse(res, 400, 'Invalid date format. Use YYYY-MM-DD.');
+      throw new ValidationError('Invalid date format. Use YYYY-MM-DD.');
     }
     const format = req.query.format || 'json';
     if (format === 'text') {
@@ -209,7 +209,7 @@ module.exports = function(ctx) {
     const { path: logPath, tail = 100 } = req.query;
 
     if (!logPath) {
-      return ctx.errorResponse(res, 400, 'Log path is required');
+      throw new ValidationError('Log path is required');
     }
 
     const platformPaths = require('../platform-paths');
@@ -233,7 +233,7 @@ module.exports = function(ctx) {
     });
 
     if (!isAllowed) {
-      return ctx.errorResponse(res, 403, 'Access to this log path is not allowed');
+      throw new ForbiddenError('Access to this log path is not allowed');
     }
 
     if (!await exists(resolvedPath)) {