fix(security): restore outgoing message integrity, add HSTS/Permissions-Policy

- Remove send-path keyword blocklist that silently rejected legitimate
  messages (e.g. "constructor", "global", "document.", literal "javascript:")
  without adding protection. XSS is enforced at the rendering boundary by the
  receive-side DOMPurify pass and by sanitizeMessage() before encryption.
- Preserve newlines/tabs/indentation in _sanitizeInputString; stop collapsing
  all whitespace which destroyed multi-line messages and code snippets.
- Stop logging raw AAD (sessionId + keyFingerprint) on validation failure;
  log length only, in both message and file-message AAD validators.
- Add Strict-Transport-Security (2y + preload) and Permissions-Policy
  (camera=self for QR, rest denied) to nginx.conf and .htaccess.
- Add tests/outgoing-message-integrity.test.mjs regression suite.

deploy/nginx.conf

@@ -55,6 +55,12 @@ http {
         add_header Referrer-Policy          "strict-origin-when-cross-origin"  always;
         add_header X-Frame-Options          "DENY"                             always;
         add_header Content-Security-Policy   "frame-ancestors 'none';"         always;
+        # Force HTTPS for two years and preload, closing the first-visit SSL-strip
+        # window that upgrade-insecure-requests alone does not cover.
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+        # Lock down powerful features. Camera is allowed for in-page QR scanning;
+        # microphone/geolocation and other sensors are denied outright.
+        add_header Permissions-Policy        "camera=(self), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" always;
         add_header Cache-Control            $sb_cache                          always;
         add_header Service-Worker-Allowed   "/"                                always;