feat: complete Phase 2 tech debt remediation

- Extract shared RSS/Atom fetch logic into feed-fetcher utility (P1-3)
- Split email-processor into validateEmail/storeEmail functions (P1-6)
- Add stateless HMAC-SHA256 CSRF protection to admin forms (P2-8)
- Fix Hono<{ Bindings: Env }> type safety across all routes (P3-13)
- Add entries.test.ts and files.test.ts with full coverage (P1-7)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/routes/inbound.ts

@@ -2,9 +2,8 @@ import { Context } from "hono";
 import { Env } from "../types";
 import { ForwardEmailPayload, handleForwardEmail } from "../lib/forwardemail";
 
-export async function handle(c: Context): Promise<Response> {
+export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
   try {
-    const env = c.env as unknown as Env;
     const payload: ForwardEmailPayload = await c.req.json();
 
     console.log("Received email:", {
@@ -20,7 +19,7 @@ export async function handle(c: Context): Promise<Response> {
     } catch {
       // No ExecutionContext in this environment (e.g. tests); WebSub notifications will be skipped
     }
-    return handleForwardEmail(payload, env, ctx);
+    return handleForwardEmail(payload, c.env, ctx);
   } catch (error) {
     console.error("Error processing email:", error);
     return new Response("Error processing email", { status: 500 });