fix(hub): printable snapshot keys, constant-time auth, 256 MiB fetch cap

- store: Snapshots() uses ":" for the public map key and clone.AccountID;
  \x1f stays as an internal seen-map guard. Prevents control-char leak
  into HTTP JSON, m.providerOrder, and (transitively) settings.json.
- server: use crypto/subtle.ConstantTimeCompare for Bearer token compare,
  preventing byte-by-byte timing enumeration. Drop NewServerWithAuth's
  env-var fallback — resolveHubRuntime already resolves
  OPENUSAGE_HUB_TOKEN before constructing the Server.
- hub-view: raise fetch cap to 256 MiB. /v1/snapshots is an aggregate of
  all workers, so the previous 16 MiB (4× per-push) truncated responses
  from larger clusters.
- daemon: capture OPENUSAGE_HUB_TOKEN into the platform service file
  alongside provider API keys; documented as part of `daemon install`.
- core/remote: annotate SentAt as a reserved wire-format field; hub
  eviction keys on server-side receivedAt.
- docs: drop the inaccurate "hub.auth_token in settings.json" reference
  (HubConfig.AuthToken is json:"-"); rewrite the daemon-install step in
  the multi-machine guide; note /healthz machine-name leak on
  internet-facing deployments and the loopback-bind mitigation.