fix: QA audit bugs BUG-051/052/056/057/059/062/063/064/065/066/068

- BUG-056: Fix sitemap namespace sitemapns.org -> sitemaps.org
- BUG-062: Extend <main> to wrap all page content (hero+features+pricing+EU section)
- BUG-064: Add sr-only <label> elements to all modal form inputs (signup, recovery, change-email)
- BUG-051/052: Remove duplicate X-Content-Type-Options headers from nginx (let helmet handle)
- BUG-057: Fix JSON-LD and pricing card: Pro plan is 2,500 PDFs/month not 5,000
- BUG-059: Add meta description, canonical URL, og: tags to /docs page
- BUG-063: Change eu-hosting h3 to h2 (correct heading hierarchy)
- BUG-065/066: Add aria-modal=true, role=dialog to modals; aria-label=Close to close buttons
- BUG-068: Add hash-based modal open for #change-email on page load
- Add .sr-only CSS utility class to base and index styles

nginx-docfast.conf

@@ -28,7 +28,6 @@ server {
         # Cache for 1 day
         expires 1d;
         add_header Cache-Control "public, max-age=86400";
-        add_header X-Content-Type-Options nosniff;
     }
 
     location = /sitemap.xml {
@@ -41,7 +40,6 @@ server {
         # Cache for 1 day
         expires 1d;
         add_header Cache-Control "public, max-age=86400";
-        add_header X-Content-Type-Options nosniff;
     }
 
     # Static assets caching
@@ -55,7 +53,6 @@ server {
         # Cache static assets for 1 week
         expires 7d;
         add_header Cache-Control "public, max-age=604800, immutable";
-        add_header X-Content-Type-Options nosniff;
     }
 
     # All other requests
@@ -68,7 +65,6 @@ server {
         proxy_read_timeout 60s;
         
         # Security headers
-        add_header X-Content-Type-Options nosniff;
     }
 
     listen 443 ssl; # managed by Certbot