release: v4.8.13 message integrity & transport hardening

Bumps version to 4.8.13 across package.json, package-lock.json, manifest.json,
index.html, meta.json, README, SECURITY_DISCLAIMER, the site header and the
in-app init banner (previously desynced at 4.8.10/4.8.11/4.8.12).

Ships the security-review fixes already on main:
- removed the over-broad send-path keyword blocklist that silently rejected
  legitimate messages (real XSS defense remains receive-side DOMPurify)
- preserve newlines/tabs/indentation in outgoing message sanitization
- stop logging raw AAD (sessionId + keyFingerprint) on validation failure
- add Strict-Transport-Security and Permissions-Policy headers
- add outgoing-message-integrity regression tests

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "securebit-chat",
-  "version": "4.8.10",
+  "version": "4.8.13",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "securebit-chat",
-      "version": "4.8.10",
+      "version": "4.8.13",
       "license": "MIT",
       "dependencies": {
         "base64-js": "1.5.1",