Fix critical and high severity security vulnerabilities

[kwsantiago]

• Fix buffer overflow in U8toU16 null terminator placement
• Fix sizeof(text) passing std::string object size instead of buffer size
• Fix character creation validation bypass (operator precedence bug)
• Fix duplicateExit allowing any user to disconnect other sessions
• Fix out-of-bounds array access via unchecked indices in trading/GM give
• Fix monitor transmit() send() error handling causing infinite loop
• Fix NULL deref in findAccount when BanReason column is NULL
• Fix missing else branch in groupMenuChatHandler causing null group deref
• Fix return vs continue in MobAI loops (useAbilities, onDeath)
• Fix nullptr EntityRef construction in MobAI retreat transition
• Add missing null checks for getPlayer() in Groups and BuiltinCommands
• Replace assert() with runtime checks in release-critical paths
• Add integer overflow checks for email/trade/vendor/mission money
• Re-validate trade money at confirmation to prevent manipulation
• Add per-IP connection limiting (MAXPERIP setting)
• Add login rate limiting (LOGINLIMIT, LOGINWINDOW settings)
• Add monitor password authentication (MONITORPASS setting)
• Use timing-safe comparison for monitor password
• Use find() instead of operator[] for connectionsPerIP to prevent map bloat
• Add chat message sanitization (sanitizeText)
• Fix memory leaks in email attachment handling
• Remove unused assert includes, add missing climits includes

[yungcomputerchair]

We are not going to accept a massive AI-generated pull request of 10+ unrelated changes. Sorry.

If you would like to contribute, I would pick one or two of what you consider to be "critical" vulns and submit a well-documented PR to address it.

[kwsantiago]

@yungcomputerchair totally understand, this is a big diff for one PR.

Here are the most critical fixes imo: #317 #318 #319

If these PRs get accepted, I can bring more fixes from this branch into separate PRs.