fix: close share-token bypass in GitHub proxy route and proxy matcher

What & Why

Closes two ways a viewer could bypass the SHARE_TOKEN check:

• Removed the /api/github/[...path] proxy route. It was excluded from proxy.ts (the matcher skips /api/*) and never checked the smc_auth cookie, so anyone could read allowlisted private-repo contents without the share token. No client code used it — all GitHub calls happen server-side via lib/github.ts.
• Fixed the proxy.ts matcher. The old .*\..* exclusion skipped every path containing a dot, so repository pages whose name contains a dot (e.g. next.js) bypassed the share-token check entirely. It now excludes only framework internals and named static assets.

Also updated CLAUDE.md to match the real architecture (server-side GitHub fetches, 60s cache, matcher behavior).

Related Issue

N/A

How to Verify

1. Without the smc_auth cookie, request /<lang>/repository/<owner>/<dotted-repo> (e.g. a repo named next.js) → now 307 → /unauthorized (was 200).
2. curl -i /api/github/repos/<owner>/<repo>/contents/README.md → 404 (route removed).
3. npm run build && npm run typecheck && npm run lint && npm run format:check all pass.

Checklist

• PR title follows Conventional Commits (feat:, fix:, chore:, refactor:, docs:, i18n:)
• Translations added to both locales/ko.json and locales/en.json (if UI text changed)
• Tested on mobile viewport (if UI changed)