security: fix 3 critical vulnerabilities + dependency audit

CRITICAL FIXES:
- Remove hardcoded DB password from api/db.ts (was: 9qPRdCGGqM4o)
- Remove hardcoded API key from api/routes/wp-monitor.ts
- Add mandatory env var validation for DB_USER, DB_PASS, DB_NAME
- Add mandatory env var validation for WP_MONITOR_API_KEY
- Add connection timeouts to MySQL pool (10s/15s/30s)

VERIFIED:
- .env never committed to Git (credentials not exposed in repo)
- .gitignore working correctly

DEPENDENCIES:
- Fix qs vulnerability (GHSA-w7fw-mjwx-w883)
- npm audit: 1 low → 0 vulnerabilities

Related: AUDIT-REPORT.md vulnerabilities 1.1, 1.2, 1.3
Next: Implement rate limiting, CORS restrictions, input validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

package-lock.json

@@ -5125,9 +5125,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.14.1",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
-      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
+      "version": "6.14.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"