release: v4.8.9 security hardening patch

- upgrade DOMPurify to patched release (fixes high-severity XSS GHSA-87xg-pxx2-7hvx)
- upgrade esbuild build dependency; npm audit now reports 0 vulnerabilities
- stop tracking config/ice-servers.js (TURN credentials); add example template
- production logger no longer prints error context or info/debug output
- bump version to 4.8.9 across header, manifest, README, init message
- update SECURITY.md supported-release table to v4.8.x

config/ice-servers.example.js

@@ -0,0 +1,21 @@
+// SecureBit.chat operator ICE server override — TEMPLATE.
+//
+// Copy this file to `config/ice-servers.js` and fill in your own TURN/STUN
+// servers. The real `config/ice-servers.js` is git-ignored on purpose:
+// TURN credentials are visible to every browser that loads the page, so they
+// must never be committed to a public repository. Rotate them from your TURN
+// provider dashboard if they are ever exposed.
+//
+// If this override is absent, the WebRTC manager falls back to the built-in
+// public STUN defaults (standard mode only — no relay/IP protection).
+window.SECUREBIT_ICE_SERVERS = [
+  { urls: 'stun:stun.cloudflare.com:3478' },
+  {
+    urls: [
+      'turn:YOUR_TURN_HOST:3478?transport=udp',
+      'turn:YOUR_TURN_HOST:3478?transport=tcp'
+    ],
+    username: 'YOUR_TURN_USERNAME',
+    credential: 'YOUR_TURN_CREDENTIAL'
+  }
+];

config/ice-servers.js

@@ -1,15 +0,0 @@
-// SecureBit.chat operator ICE server override.
-// Loaded before the WebRTC manager is created. Credentials are visible to browsers;
-// rotate them from the ExpressTURN dashboard if this file is published publicly.
-window.SECUREBIT_ICE_SERVERS = [
-  { urls: 'stun:stun.cloudflare.com:3478' },
-  { urls: 'stun:stun.expressturn.com:3478' },
-  {
-    urls: [
-      'turn:free.expressturn.com:3478?transport=udp',
-      'turn:free.expressturn.com:3478?transport=tcp'
-    ],
-    username: '000000002094555952',
-    credential: 't1oK9Zftes9j7E7hJmsLad9jq1M='
-  }
-];