fix(security): harden secrets handling and remove insecure configs

[Abdullahi-Model]

Security Hardening — Audit Fixes

Secrets audit found no hardcoded credentials but identified 4 security issues. This PR fixes all of them.

Changes

Severity	Issue	Fix
HIGH	API key first 10 chars logged on every request	Replace with [key=REDACTED]
HIGH	API key first 10 chars logged in sync error panel	Replace with REDACTED
HIGH	CEF manifest disables web security (--disable-web-security, --allow-running-insecure-content)	Remove both insecure flags
MEDIUM	Settings panel shows first 16 chars of API key	Show only last 4 chars (••••••••abcd)
MEDIUM	API key input prefilled with masked value (could be submitted as key)	Clear default value, force re-entry
MEDIUM	http://modelslab-studio.test HTTP domain whitelisted	Remove HTTP domain from manifest
MEDIUM	Default API URL points to internal test domain	Update default to https://mstudio.ai/api/v1

Files Changed

• src/core/api-client.ts — redact key from logs
• src/ui/panels/sync-panel.ts — redact key from error log
• src/ui/panels/settings-panel.ts — mask key display, clear prefill
• src/core/config.ts — update default API URL to production
• CSXS/manifest.xml — remove insecure CEF flags
• manifest.json — remove HTTP/test domains from whitelist
• scripts/bundled-assets.ts — regenerated with all fixes

Verification

• ✅ npm run typecheck — passes clean
• ✅ npm run build — passes clean
• ✅ No remaining references to modelslab-studio.test
• ✅ No remaining references to --disable-web-security