security: structured logging + opaque error IDs (stop leaking str(e) in 500s)

[lzt0513]

Closes #110

Changes

• \send_error_response\ now returns JSON with an opaque \error_id\ instead of \ ext/plain\ with leaked exception text
• Full tracebacks are printed server-side, indexed by \error_id\ for log correlation
• Added \send_client_error\ for 4xx responses (returns JSON without error_id)
• \do_POST\ now catches \ValueError\ separately as 400 instead of 500
• Other exception handlers use the updated \send_error_response\ which does not leak details

Acceptance criteria covered

• 500 responses no longer leak str(e)/internal detail; they carry an error_id
• The matching traceback is findable in logs by error_id
• Client-input errors return 4xx, not 500

[imran31415]

Lgtm