feat(api): add helmet security headers

[Jayking40]

Title

feat(api): add helmet security header baseline

Summary

This PR adds Helmet to the Fluxora backend so every HTTP response gets a predictable browser-facing security-header baseline and Express fingerprinting is suppressed.

It also documents the service-level outcomes, trust boundaries, expected failure behavior, observability guidance, verification steps, and explicit non-goals for this issue so operators can validate and diagnose the behavior without tribal knowledge.

Changes

• Applied Helmet globally at the Express app boundary
• Disabled the X-Powered-By header
• Added and documented the security-header baseline for public clients, partners, operators, and internal workers
• Updated the OpenAPI description to describe the security-header guarantees and scope
• Added regression coverage for the expected Helmet headers across root, health, and streams routes
• Switched the helmet regression test to an in-process harness so it can verify Express responses without opening a socket in restricted environments
• Repaired a few small config/health module issues that were preventing the app from loading during verification

Testing

• Ran npm test -- --run tests/helmet.test.ts
• Verified 10/10 helmet regression tests passed
• Performed an in-process /health probe and confirmed:
  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Referrer-Policy
• Ran npm run build

Closes #27