feat(security): implement AES-256-GCM encryption for API keys and HMAC-signed session tokens

This commit introduces:
- AES-256-GCM encryption for LLM provider API keys in the database.
- HMAC-SHA256 signed session tokens with activity-based refresh logic.
- Standardized frontend XSS protection using a global escapeHtml utility.
- Hardened security headers and request body size limits.
- Improved database integrity with foreign key enforcement and atomic transactions.
- Integration tests for the full encrypted key storage and proxy usage lifecycle.

src/main.rs

@@ -10,6 +10,7 @@ use llm_proxy::{
     rate_limiting::{CircuitBreakerConfig, RateLimitManager, RateLimiterConfig},
     server,
     state::AppState,
+    utils::crypto,
 };
 
 #[tokio::main]
@@ -26,6 +27,10 @@ async fn main() -> Result<()> {
     let config = AppConfig::load().await?;
     info!("Configuration loaded from {:?}", config.config_path);
 
+    // Initialize encryption
+    crypto::init_with_key(&config.encryption_key)?;
+    info!("Encryption initialized");
+
     // Initialize database connection pool
     let db_pool = database::init(&config.database).await?;
     info!("Database initialized at {:?}", config.database.path);