release: v4.8.13 message integrity & transport hardening

Bumps version to 4.8.13 across package.json, package-lock.json, manifest.json,
index.html, meta.json, README, SECURITY_DISCLAIMER, the site header and the
in-app init banner (previously desynced at 4.8.10/4.8.11/4.8.12).

Ships the security-review fixes already on main:
- removed the over-broad send-path keyword blocklist that silently rejected
  legitimate messages (real XSS defense remains receive-side DOMPurify)
- preserve newlines/tabs/indentation in outgoing message sanitization
- stop logging raw AAD (sessionId + keyFingerprint) on validation failure
- add Strict-Transport-Security and Permissions-Policy headers
- add outgoing-message-integrity regression tests

meta.json

@@ -1,10 +1,10 @@
 {
-  "version": "1781732923420",
-  "buildVersion": "1781732923420",
-  "appVersion": "4.8.12",
-  "buildTime": "2026-06-17T21:48:43.476Z",
-  "buildId": "1781732923420-be1d02f",
-  "gitHash": "be1d02f",
+  "version": "1781816839471",
+  "buildVersion": "1781816839471",
+  "appVersion": "4.8.13",
+  "buildTime": "2026-06-18T21:07:19.513Z",
+  "buildId": "1781816839471-42be55a",
+  "gitHash": "42be55a",
   "generated": true,
-  "generatedAt": "2026-06-17T21:48:43.478Z"
+  "generatedAt": "2026-06-18T21:07:19.514Z"
 }