feat: complete Phase 2 tech debt remediation

- Extract shared RSS/Atom fetch logic into feed-fetcher utility (P1-3)
- Split email-processor into validateEmail/storeEmail functions (P1-6)
- Add stateless HMAC-SHA256 CSRF protection to admin forms (P2-8)
- Fix Hono<{ Bindings: Env }> type safety across all routes (P3-13)
- Add entries.test.ts and files.test.ts with full coverage (P1-7)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/routes/entries.ts

@@ -2,8 +2,7 @@ import { Context } from "hono";
 import { html, raw } from "hono/html";
 import { Env, FeedMetadata, EmailData } from "../types";
 
-export async function handle(c: Context): Promise<Response> {
-  const env = c.env as unknown as Env;
+export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
   const feedId = c.req.param("feedId");
   const receivedAt = parseInt(c.req.param("entryId"), 10);
 
@@ -11,7 +10,7 @@ export async function handle(c: Context): Promise<Response> {
     return new Response("Not Found", { status: 404 });
   }
 
-  const emailStorage = env.EMAIL_STORAGE;
+  const emailStorage = c.env.EMAIL_STORAGE;
 
   const feedMetadata = (await emailStorage.get(
     `feed:${feedId}:metadata`,