feat(security): implement AES-256-GCM encryption for API keys and HMAC-signed session tokens

This commit introduces:
- AES-256-GCM encryption for LLM provider API keys in the database.
- HMAC-SHA256 signed session tokens with activity-based refresh logic.
- Standardized frontend XSS protection using a global escapeHtml utility.
- Hardened security headers and request body size limits.
- Improved database integrity with foreign key enforcement and atomic transactions.
- Integration tests for the full encrypted key storage and proxy usage lifecycle.

static/js/api.js

@@ -35,6 +35,14 @@ class ApiClient {
             throw new Error(result.error || `HTTP error! status: ${response.status}`);
         }
 
+        // Handling X-Refreshed-Token header
+        if (response.headers.get('X-Refreshed-Token') && window.authManager) {
+            window.authManager.token = response.headers.get('X-Refreshed-Token');
+            if (window.authManager.setToken) {
+                window.authManager.setToken(window.authManager.token);
+            }
+        }
+
         return result.data;
     }
 
@@ -87,6 +95,17 @@ class ApiClient {
         const date = luxon.DateTime.fromISO(dateStr);
         return date.toRelative();
     }
+
+    // Helper for escaping HTML
+    escapeHtml(unsafe) {
+        if (unsafe === undefined || unsafe === null) return '';
+        return unsafe.toString()
+            .replace(/&/g, "&")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#039;");
+    }
 }
 
 window.api = new ApiClient();