No security headers, rate limiting, or CORS policy on the HTTP layer

The Fastify HTTP server registered no `helmet`, no rate limiter, and no CORS policy, leaving the dashboard and admin API exposed to clickjacking, MIME-sniffing, brute-force, and missing-CSP risks.

The Fastify HTTP server registered no helmet middleware, no rate limiter, and no CORS policy, leaving the dashboard and admin API exposed to clickjacking, MIME-sniffing, brute-force on auth endpoints, and missing-CSP risks.