Enhance Private vibe access reliability and HTML upload reliabiltiy

Thread body

- Fixed an issue on our side where some “small, simple HTML” vibes could fail to publish and show up as TypeError: Failed to fetch. This happened because we sometimes mis-detected HTML fragments (for example < div > Hello< / div > ) as React/TSX and routed them through the JSX compilation path, and because our server-side HTML sanitization could hit Worker runtime limits and get hard-killed (meaning no JSON error response and no server telemetry). We fixed this by treating HTML fragments as HTML and normalizing them into a minimal full HTML document, plus adding quota preflight + size caps around sanitization and re-validating quotas using the sanitized bundle size. - Fixed private vibe owner access reliability: owners should always be able to run their own private vibes. We found cases where private bundle fetches could 404 because the runtime didn’t consistently know it needed a bundle grant first and parts of the flow depended on an internal proxy. We fixed this by serving bundle grants directly from the API worker, exposing bundleGrantRequired in runtime manifests so the runtime always requests a grant before fetching a private bundle, and tightening bundle URL handling and token redaction in logs/telemetry.