Fix security, performance, and code quality issues across CMS

Security:
- Replace unescaped {!! !!} with Purify::clean() in 15+ Blade templates (XSS)
- Add rate limiting to register (3/hr), upload (10/min), SSE (6/min)
- Add max:5000 validation on article comments
- Remove duplicate exception handler callback

Hardcoded paths:
- Replace ~44 /var/www/ hardcoded paths with env() configs
- CatalogService (13), AutoDetectService (18), Commandocentrum (11), AppServiceProvider (2)

Performance:
- Add 10 missing database indexes (radio_song_requests, help_center_tickets, etc.)
- Replace Cache::flush() with targeted Cache::forget() in RadioSettings
- Cache getCachedCategories() in TicketController (N+1 fix)
- Remove redundant top-3 leaderboard query

Bug fixes:
- Fix undefined $enabled variable → $isOnline in radio index view
- Add getAvatarAttribute() accessor for non-existent avatar column
- Fix User::guilds() from wrong HasMany to HasManyThrough

Code quality:
- Replace file_get_contents with Http::timeout(10) in TraxService
- Remove commented Echo/Pusher boilerplate in bootstrap.js
- Remove TODO/FIXME comments from logo-generator templates
- Replace hardcoded Turnstile CDN URL with config()
- Restore QUEUE_CONNECTION=redis in .env.example files

resources/themes/atom/views/maintenance.blade.php

@@ -258,7 +258,7 @@
  <div>
  <h3 class="text-lg font-semibold text-[var(--color-text)] mb-2">{{ __('Important Information') }}</h3>
  <div class="prose prose-invert max-w-none text-[var(--color-text-muted)]">
- <p>{!! setting('maintenance_message') !!}</p>
+  <p>{{ \Stevebauman\Purify\Facades\Purify::clean(setting('maintenance_message')) }}</p>
  </div>
  </div>
  </div>
@@ -329,6 +329,6 @@
 @endguest
 </body>
 
-<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" defer></script>
+<script src="{{ config('habbo.cdn.turnstile_js', 'https://challenges.cloudflare.com/turnstile/v0/api.js') }}" defer></script>
 
 </html>