Security, privacy, and agent intelligence hardening

## Security (Workset A)
- XSS: Verified templates use safe DOM methods (textContent, createElement)
- Secrets: Fail-fast in production mode when L402 secrets not set
- Environment mode: Add TIMMY_ENV (development|production) validation

## Privacy (Workset C)
- Add telemetry_enabled config (default: False for sovereign AI)
- Pass telemetry setting to Agno Agent
- Update .env.example with TELEMETRY_ENABLED and TIMMY_ENV docs

## Agent Intelligence (Workset D)
- Enhanced TIMMY_SYSTEM_PROMPT with:
  - Tool usage guidelines (when to use, when not to)
  - Memory awareness documentation
  - Operating mode documentation
- Help reduce unnecessary tool calls for simple queries

All 895 tests pass.
Telemetry disabled by default aligns with sovereign AI vision.

.env.example

@@ -41,6 +41,15 @@
 # Lightning backend: "mock" (default) | "lnd"
 # LIGHTNING_BACKEND=mock
 
+# ── Environment & Privacy ───────────────────────────────────────────────────
+# Environment mode: "development" (default) | "production"
+# In production, security secrets MUST be set or the app will refuse to start.
+# TIMMY_ENV=development
+
+# Disable Agno telemetry for sovereign/air-gapped deployments.
+# Default is false (disabled) to align with local-first AI vision.
+# TELEMETRY_ENABLED=false
+
 # ── Telegram bot ──────────────────────────────────────────────────────────────
 # Bot token from @BotFather on Telegram.
 # Alternatively, configure via the /telegram/setup dashboard endpoint at runtime.