fix: path traversal, CORS, cache cap, __dirname, error pages, cookie order

[yetval]

Summary

Security fixes

• Fix path traversal in Masqr.js via Host header — validate with allowlist regex, use path.basename() instead of incomplete normalize().replace()

Bug fixes

• Fix __dirname using process.cwd() instead of import.meta.url (ESM module — wrong dir when launched from different cwd)
• Fix mime.getType() returning null for unknown extensions (now falls back to application/octet-stream)
• Fix MasqFail() calls not being awaited
• Fix cookieParser registered after route handlers — moved before routes so Masqr can read cookies on /e/*
• Fix 500 error handler incorrectly serving 404.html — now serves 500.html
• Fix CORS for bare-server routes — headers now set on raw http.Server handler; Express middleware never ran on those routes

Reliability

• Cap in-memory asset cache at CACHE_MAX_ENTRIES (default 1000, env-configurable) to prevent OOM under adversarial traffic
• Add defensive headersSent guard in asset proxy error handler

Error pages

• Add static/500.html
• Replace Failed.html nginx placeholder with proper license-validation-failed page

Credentials

• Remove hardcoded default password from config.js — credentials now read from BASIC_AUTH_USERS env var (user:pass CSV)
• Usernames only logged at startup (passwords no longer printed)

Notes

• Masqr remains opt-in via MASQR=true env var
• COOKIE_SECRET env var required at startup when MASQR=true