feat(security): implement AES-256-GCM encryption for API keys and HMAC-signed session tokens

This commit introduces:
- AES-256-GCM encryption for LLM provider API keys in the database.
- HMAC-SHA256 signed session tokens with activity-based refresh logic.
- Standardized frontend XSS protection using a global escapeHtml utility.
- Hardened security headers and request body size limits.
- Improved database integrity with foreign key enforcement and atomic transactions.
- Integration tests for the full encrypted key storage and proxy usage lifecycle.

src/dashboard/clients.rs

@@ -88,9 +88,10 @@ pub(super) async fn handle_create_client(
     headers: axum::http::HeaderMap,
     Json(payload): Json<CreateClientRequest>,
 ) -> Json<ApiResponse<serde_json::Value>> {
-    if let Err(e) = super::auth::require_admin(&state, &headers).await {
-        return e;
-    }
+    let (session, _) = match super::auth::require_admin(&state, &headers).await {
+        Ok((session, new_token)) => (session, new_token),
+        Err(e) => return e,
+    };
 
     let pool = &state.app_state.db_pool;
 
@@ -198,9 +199,10 @@ pub(super) async fn handle_update_client(
     Path(id): Path<String>,
     Json(payload): Json<UpdateClientPayload>,
 ) -> Json<ApiResponse<serde_json::Value>> {
-    if let Err(e) = super::auth::require_admin(&state, &headers).await {
-        return e;
-    }
+    let (session, _) = match super::auth::require_admin(&state, &headers).await {
+        Ok((session, new_token)) => (session, new_token),
+        Err(e) => return e,
+    };
 
     let pool = &state.app_state.db_pool;
 
@@ -294,9 +296,10 @@ pub(super) async fn handle_delete_client(
     headers: axum::http::HeaderMap,
     Path(id): Path<String>,
 ) -> Json<ApiResponse<serde_json::Value>> {
-    if let Err(e) = super::auth::require_admin(&state, &headers).await {
-        return e;
-    }
+    let (session, _) = match super::auth::require_admin(&state, &headers).await {
+        Ok((session, new_token)) => (session, new_token),
+        Err(e) => return e,
+    };
 
     let pool = &state.app_state.db_pool;
 
@@ -437,9 +440,10 @@ pub(super) async fn handle_create_client_token(
     Path(id): Path<String>,
     Json(payload): Json<CreateTokenRequest>,
 ) -> Json<ApiResponse<serde_json::Value>> {
-    if let Err(e) = super::auth::require_admin(&state, &headers).await {
-        return e;
-    }
+    let (session, _) = match super::auth::require_admin(&state, &headers).await {
+        Ok((session, new_token)) => (session, new_token),
+        Err(e) => return e,
+    };
 
     let pool = &state.app_state.db_pool;
 
@@ -485,9 +489,10 @@ pub(super) async fn handle_delete_client_token(
     headers: axum::http::HeaderMap,
     Path((client_id, token_id)): Path<(String, i64)>,
 ) -> Json<ApiResponse<serde_json::Value>> {
-    if let Err(e) = super::auth::require_admin(&state, &headers).await {
-        return e;
-    }
+    let (session, _) = match super::auth::require_admin(&state, &headers).await {
+        Ok((session, new_token)) => (session, new_token),
+        Err(e) => return e,
+    };
 
     let pool = &state.app_state.db_pool;