fix: Improve safety, security, and stability

Security:
- Remove unverified third-party script (cdn.gpteng.co/gptengineer.js)
- Add Content Security Policy meta tag (connect-src, frame-src, object-src, base-uri)
- Patch 12 high-severity npm vulnerabilities via audit fix + overrides
- Move Gemini API calls server-side via Supabase Edge Function (ai-proxy);
  VITE_GEMINI_API_KEY no longer exposed to the browser

Stability:
- Wrap all localStorage.setItem calls in try-catch to handle QuotaExceededError
  and private/incognito mode (Safari) without crashing
- Fix beforeunload handler: async save replaced with synchronous localStorage
  write as a crash-safe backup (async saves cannot be awaited on page unload)
- Replace Promise.all with Promise.allSettled in forceSyncToDatabase so a single
  failed save no longer silently leaves other data in an inconsistent state
- Show destructive toast when endDay save fails instead of only logging to console
- Add private requireUser() helper in SupabaseService to validate user ID before
  every DB operation; removes scattered inconsistent null-check pattern
- Wrap localStorage access in InstallPrompt in try-catch for private mode safety
- Sanitize chart ID and color values before interpolation into dangerouslySetInnerHTML
- Add SCHEMA_VERSION stamp to all localStorage writes; version mismatch on read
  clears stale data and returns safe defaults instead of passing corrupt state
  through the application; legacy bare-array format remains readable

https://claude.ai/code/session_01JorBRWb89cm8BakhSoeWVx

Author: claude

index.html

@@ -35,12 +35,28 @@
     <meta name="mobile-web-app-capable" content="yes" />
     <meta name="application-name" content="TimeTracker Pro" />
 
+    <!-- Content Security Policy -->
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="
+        default-src 'self';
+        script-src 'self' 'unsafe-inline';
+        style-src 'self' 'unsafe-inline';
+        connect-src 'self' https://*.supabase.co wss://*.supabase.co https://generativelanguage.googleapis.com;
+        font-src 'self' data:;
+        img-src 'self' data: blob:;
+        frame-src 'none';
+        object-src 'none';
+        base-uri 'self';
+        form-action 'self';
+      "
+    />
+
     <link rel="stylesheet" href="/print.css" media="print" />
     <link rel="stylesheet" href="/pwa.css" />
   </head>
   <body>
     <div id="root"></div>
     <script type="module" src="/src/main.tsx"></script>
-    <script src="https://cdn.gpteng.co/gptengineer.js" defer></script>
   </body>
 </html>