fix: security/bug fixes, extract constants, remove magic values

- Remove random suffix from Wellfound job IDs (broke dedup)
- Add null coalescing to all profile field returns in form_filler
- Fix honeypot case referencing nonexistent results.skipped counter
- Remove unused makeJobId import from linkedin.mjs
- Navigate directly to job URL instead of search+click in linkedin apply
- Add Telegram notification rate limiting (1.5s between sends)
- Replace Mode B blocking sleep with --preview flag
- Add max_applications_per_run enforcement
- Remove tracked search_config.json (keep .example.json only)
- Add search_config.json to .gitignore, fix duplicate node_modules entry
- Extract all magic numbers/strings to lib/constants.mjs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

lib/notify.mjs

@@ -2,6 +2,9 @@
  * notify.mjs — Telegram notifications
  * Sends messages directly via Telegram Bot API
  */
+import { TELEGRAM_API_BASE, NOTIFY_RATE_LIMIT_MS } from './constants.mjs';
+
+let lastSentAt = 0;
 
 export async function sendTelegram(settings, message) {
   const { bot_token, telegram_user_id } = settings.notifications;
@@ -10,7 +13,14 @@ export async function sendTelegram(settings, message) {
     return;
   }
 
-  const url = `https://api.telegram.org/bot${bot_token}/sendMessage`;
+  // Rate limit to avoid Telegram API throttling
+  const now = Date.now();
+  const elapsed = now - lastSentAt;
+  if (elapsed < NOTIFY_RATE_LIMIT_MS) {
+    await new Promise(r => setTimeout(r, NOTIFY_RATE_LIMIT_MS - elapsed));
+  }
+
+  const url = `${TELEGRAM_API_BASE}${bot_token}/sendMessage`;
   try {
     const res = await fetch(url, {
       method: 'POST',
@@ -21,6 +31,7 @@ export async function sendTelegram(settings, message) {
         parse_mode: 'Markdown',
       }),
     });
+    lastSentAt = Date.now();
     const data = await res.json();
     if (!data.ok) console.error('[notify] Telegram error:', data.description);
   } catch (e) {