feat(tracking): add key rotation and worker abuse protections

[salmonumbrella]

Summary

• Add AES-256-GCM key rotation with versioned encryption blobs, backward-compatible decryption, and gog gmail track key rotate CLI command (closes Security: Add key rotation mechanism for email tracking encryption #293)
• Add IP-based rate limiting via KV, D1-based open deduplication, and improved bot detection (header checks, timing heuristics, Cloudflare Bot Management) to the tracking pixel worker (closes Security: Add rate limiting to email tracking Cloudflare Worker #294)
• Fix Drive --filter query pass-through for search and search-more subcommands
• Fix Gmail MIME encoding for non-ASCII display names in From/Reply-To headers

Test plan

• Go build compiles cleanly
• All Go tests pass (go test ./internal/tracking/... ./internal/cmd/...)
• Key rotation: versioned encrypt → decrypt with multiple keys → legacy fallback
• Bot detection: expanded UA matching, header presence checks, timing-based prefetch detection
• /q/ endpoint requires admin Bearer token (security fix from code review)
• Drive filter pass-through with compound queries, case sensitivity
• Gmail MIME non-ASCII header encoding edge cases

Closes #293
Closes #294

🤖 Generated with Claude Code

[steipete]

Thanks for the tracking security work. This is now superseded by main, so I’m closing the stale PR rather than trying to merge the dirty branch.\n\nLanded/current coverage:\n- #293 key rotation: fixed in e98f44d (versioned tracking blobs, gmail track key rotate, versioned Worker secrets, legacy fallback).\n- #294 abuse/rate limiting: already fixed/closed via dfc5b75 (dedupe repeated opens and cap per-IP writes).\n- retention/admin query hardening also exists on main via 9ce77ef and related tracking commits.\n- the unrelated Drive/Gmail fixes from the first PR commit are already on main via #266 / 4272c68, and issues #254/#255 are closed.\n\nVerified now:\n- go test ./internal/tracking ./internal/cmd -run 'TestEncryptWithVersion|TestDecryptWithKeys|TestGmailTrackKeyRotate|TestGeneratePixelURL|TestGmailTrackSetupAndStatus'\n- go test ./internal/cmd -run 'TestBuildDriveSearchQuery|TestLooksLikeDriveFilterQuery|TestDriveSearchCmd_PassesThroughDriveFilterQueries|TestBuildRFC822UTF8FromDisplayName|TestFormatAddressHeaders|TestBuildRFC822PlainFromAddressStaysUnwrapped'\n- pnpm -C internal/tracking/worker test\n\nClosing as superseded by landed main. Thanks again.