security: redact internal error messages from 500 responses

[CleanDev-Fix]

Summary

Fixes #139 by redacting unexpected internal error messages from 500 internal_error responses while preserving request correlation for operators.

Changes

• Return a fixed Unexpected server error message for 500 responses.
• Log the original thrown error/value and stack server-side with the same requestId, method, and path.
• Add regression coverage for sensitive Error messages, non-Error throws, existing validation 400 responses, and existing 413 responses.
• Document the 500 error disclosure policy in the README.

Testing/Verification

• npm run lint
• npm run build
• npx prettier --check README.md src/routes/errors.ts src/error-redaction.test.ts
• $env:NODE_ENV='test'; node --test dist/*.test.js dist/**/*.test.js (73/73 passing)

Note: On Windows, the existing npm test script fails before executing tests because it uses Unix-style NODE_ENV=test; the equivalent command above ran the full compiled test suite.

Threat Model Note

Unexpected thrown errors can contain file paths, dependency internals, or sensitive operational context. This change keeps those details in server logs correlated by requestId and returns only a generic fixed message to clients. Caller-actionable 400 and 413 responses are intentionally unchanged.

Fixes #139

[mikewheeleer]

thanks for the effort @CleanDev-Fix! 🙏 issue #139 isn't assigned to you, and we merge from the assigned contributor to keep the campaign fair. please claim an open unassigned issue first, then open your PR. closing for now — hope to see it back 🙌