security: add headers, fetch timeouts, Retry-After cap, env validation

- next.config.ts: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- sixflags.ts: cap Retry-After at 5 min; add 15s AbortSignal.timeout()
- queuetimes.ts: add 10s AbortSignal.timeout()
- rcdb.ts: add 15s AbortSignal.timeout()
- lib/env.ts: parseStalenessHours() guards against NaN from invalid env vars
- db.ts + park-meta.ts: use parseStalenessHours() for staleness window config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

lib/park-meta.ts

@@ -44,8 +44,7 @@ export function defaultParkMeta(): ParkMeta {
   return { rcdb_id: null, coasters: [], coasters_scraped_at: null };
 }
 
-const COASTER_STALE_MS =
-  parseInt(process.env.COASTER_STALENESS_HOURS ?? "720", 10) * 60 * 60 * 1000;
+const COASTER_STALE_MS = parseStalenessHours(process.env.COASTER_STALENESS_HOURS, 720) * 60 * 60 * 1000;
 
 /** Returns true when the coaster list needs to be re-scraped from RCDB. */
 export function areCoastersStale(entry: ParkMeta): boolean {
@@ -55,6 +54,7 @@ export function areCoastersStale(entry: ParkMeta): boolean {
 
 import { normalizeForMatch } from "./coaster-match";
 export { normalizeForMatch as normalizeRideName } from "./coaster-match";
+import { parseStalenessHours } from "./env";
 
 /**
  * Returns a Set of normalized coaster names for fast membership checks.