feat: scaffold plug-n-play telegram bot on cloudflare workers

grammY-based bot with a module plugin system loaded from the MODULES env
var. Three command visibility levels (public/protected/private) share a
unified command namespace with conflict detection at registry build.

- 4 initial modules (util, wordle, loldle, misc); util fully implemented,
  others are stubs proving the plugin system end-to-end
- util: /info (chat/thread/sender ids) + /help (pure renderer over the
  registry, HTML parse mode, escapes user-influenced strings)
- KVStore interface with CFKVStore and a per-module prefixing factory;
  getJSON/putJSON convenience helpers; other backends drop in via one file
- Webhook at POST /webhook with secret-token validation via grammY's
  webhookCallback; no admin HTTP surface
- Post-deploy register script (npm run deploy = wrangler deploy && node
  --env-file=.env.deploy scripts/register.js) for setWebhook and
  setMyCommands; --dry-run flag for preview
- 56 vitest unit tests across 7 suites covering registry, db wrapper,
  dispatcher, help renderer, validators, and HTML escaper
- biome for lint + format; phased implementation plan under plans/

tests/util/escape-html.test.js

@@ -0,0 +1,22 @@
+import { describe, expect, it } from "vitest";
+import { escapeHtml } from "../../src/util/escape-html.js";
+
+describe("escapeHtml", () => {
+  it('escapes &, <, >, "', () => {
+    expect(escapeHtml('&<>"')).toBe("&amp;&lt;&gt;&quot;");
+  });
+
+  it("leaves safe characters alone", () => {
+    expect(escapeHtml("hello world 123 /cmd — émoji 🎉")).toBe("hello world 123 /cmd — émoji 🎉");
+  });
+
+  it("escapes in order so ampersand doesn't double-escape later entities", () => {
+    // Input has literal & and <, output should have &amp; and &lt; — NOT &amp;lt;
+    expect(escapeHtml("a & <b>")).toBe("a &amp; &lt;b&gt;");
+  });
+
+  it("coerces non-strings", () => {
+    expect(escapeHtml(42)).toBe("42");
+    expect(escapeHtml(null)).toBe("null");
+  });
+});