refactor: route anonymize preview through the backend

The form's live README/PR preview was running its own copy of
ContentAnonimizer in the browser. The two implementations had been
drifting — recent fixes for word boundaries (#175/#249), accent
matching (#280), custom replacements (#285), and the diacritic-stripped
variants only landed on the server. Reviewers saw one anonymization;
authors composing the form saw another.

Add POST /api/anonymize-preview that takes a snippet (or a batch) plus
the user's options and runs them through the same ContentAnonimizer
the file route uses. Replace the client-side anonymizeReadme() body
with a debounced call to that endpoint. The PR view's
anonymizePrContent() runs as a synchronous template expression, so it
now reads from a {original -> anonymized} cache that's refreshed in
the background whenever the PR details, terms, or options change.

Single-flight + debounce keep the form responsive; an in-flight
request is dropped on the next change.

src/server/index.ts

@@ -161,6 +161,7 @@ export default async function start() {
   apiRouter.use("/repo", speedLimiter, router.repositoryPrivate);
   apiRouter.use("/pr", speedLimiter, router.pullRequestPublic);
   apiRouter.use("/pr", speedLimiter, router.pullRequestPrivate);
+  apiRouter.use("/anonymize-preview", speedLimiter, router.anonymizePreview);
 
   apiRouter.get("/message", async (_, res) => {
     if (existsSync("./message.txt")) {