fix(electrobun): address all 22 Codex review #2 findings

CRITICAL:
- DocsTab XSS: DOMPurify sanitization on all {@html} output
- File RPC path traversal: guardPath() validates against project CWDs

HIGH:
- SSH injection: spawn /usr/bin/ssh via PTY args, no shell string
- Search XSS: strip HTML, highlight matches client-side with <mark>
- Terminal listener leak: cleanup functions stored + called in onDestroy
- FileBrowser race: request token, discard stale responses
- SearchOverlay race: same request token pattern
- App startup ordering: groups.list chains into active_group restore
- PtyClient timeout: 5-second auth timeout on connect()
- Rule 55: 6 {#if} patterns converted to style:display toggle

MEDIUM:
- Agent persistence: only persist NEW messages (lastPersistedIndex)
- Search errors: typed error response, "Invalid query" UI
- Health store wired: agent events call recordActivity/setProjectStatus
- index.ts SRP: split into 8 domain handler modules (298 lines)
- App.svelte: extracted workspace-store.svelte.ts
- rpc.ts: typed AppRpcHandle, removed `any`

LOW:
- CommandPalette listener wired in App.svelte
- Dead code removed (removeGroup, onDragStart, plugin loaded)

ui-electrobun/src/mainview/SshTab.svelte

@@ -86,7 +86,7 @@
   }
 
   function connectSsh(conn: SshConfig) {
-    // Spawn a PTY with ssh command
+    // Fix #3: Spawn ssh directly via PTY shell+args — no shell command injection
     const sessionId = `ssh-${conn.id}-${Date.now()}`;
     const args = ['-p', String(conn.port), `${conn.user}@${conn.host}`];
     if (conn.keyPath) args.unshift('-i', conn.keyPath);
@@ -95,13 +95,9 @@
       sessionId,
       cols: 120,
       rows: 30,
+      shell: '/usr/bin/ssh',
+      args,
     }).catch(console.error);
-
-    // Write the ssh command after a short delay to let the shell start
-    setTimeout(() => {
-      const cmd = `/usr/bin/ssh ${args.join(' ')}\n`;
-      appRpc.request['pty.write']({ sessionId, data: cmd }).catch(console.error);
-    }, 300);
   }
 
   onMount(async () => {