Fix 40+ codebase issues: security, performance, duplication, dead code, and routes

HIGH:
- Add missing import RadioSongRequestFormRequest (fixes crash on POST)
- Add Purify XSS sanitization for article full_story
- Fix duplicate radio API routes (/api/radio vs /api/radio/v2)
- Add try-catch guards in InstallationController for missing records

MEDIUM:
- Fix N+1: eager load comments.user in ArticleController::show()
- Fix GuestbookController authorization logic
- Remove dead doSetup() method and duplicate route
- Extract shared HasRadioDefaults trait (remove code duplication)
- Use named routes in ForceStaffTwoFactorMiddleware
- Fix WebsiteHelpCenterTicket::isOpen() (no permission leak)
- Enable  on WebsiteHelpCenterTicket (matches schema)
- Replace WebsiteTeam::all()->pluck() with direct pluck()
- Replace CatalogPage::all()->pluck() with direct pluck()
- Replace WebsiteBadge::all() with direct pluck()
- Add throttle middleware to guestbook store, logo-generator, radio embed

LOW:
- Remove unused imports
- Remove dead /inertia-test route
- Consolidate cache keys in RadioController

app/Http/Middleware/ForceStaffTwoFactorMiddleware.php

@@ -16,12 +16,12 @@ class ForceStaffTwoFactorMiddleware
         }
 
         $user = $request->user();
-        $urls = [
-            'user/settings/two-factor',
-            'user/settings/2fa-verify',
+        $allowedRoutes = [
+            'settings.two-factor',
+            'two-factor.verify',
         ];
 
-        if (($user->rank >= setting('min_staff_rank') && ! $user->two_factor_confirmed) && ! in_array(request()->path(), $urls)) {
+        if (($user->rank >= setting('min_staff_rank') && ! $user->two_factor_confirmed) && ! in_array(request()->route()?->getName(), $allowedRoutes)) {
             return to_route('settings.two-factor');
         }