fix: HIGH priority — scroll debounce, timing-safe auth, a11y, error logging, cleanup dead modals

- Header: throttle scroll handler via requestAnimationFrame (was firing 60+/sec)
- Auth: use crypto.timingSafeEqual for password and token signature comparison
- A11y: add role="dialog", aria-modal, aria-label to all modals (SignupModal, NewsModal, TeamProfile lightbox)
- A11y: add aria-label to close buttons, menu toggle (with aria-expanded), floating CTA
- A11y: add aria-label to MC Instagram buttons
- Error logging: add console.error with route names to all API catch blocks (admin + public)
- Fix open-day-register error leak (was returning raw DB error to client)
- Fix MasterClasses key={index} → key={item.title}
- Delete 3 unused modal components (BookingModal, MasterClassSignupModal, OpenDaySignupModal) — replaced by unified SignupModal

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/auth.ts

@@ -17,7 +17,13 @@ function getAdminPassword(): string {
 }
 
 export function verifyPassword(password: string): boolean {
-  return password === getAdminPassword();
+  const expected = getAdminPassword();
+  if (password.length !== expected.length) return false;
+  const a = Buffer.from(password);
+  const b = Buffer.from(expected);
+  // Pad to equal length for timingSafeEqual
+  if (a.length !== b.length) return false;
+  return crypto.timingSafeEqual(a, b);
 }
 
 export function signToken(): string {
@@ -51,7 +57,7 @@ function verifyTokenNode(token: string): boolean {
       .update(data)
       .digest("base64url");
 
-    if (sig !== expectedSig) return false;
+    if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expectedSig))) return false;
 
     const payload = JSON.parse(
       Buffer.from(data, "base64url").toString()