fix: security and infra fixes (#36, #37, #43, #44)

[jacaudi]

Summary

Four independent fixes from code review of PR #34, bundled together because they're small and share the "security and infra hardening" theme.

• ECDH private key imported as extractable (should be non-extractable) #36 — ECDH importKey calls now use extractable: false (both in src/js/worker/ecdh.js and src/js/worker/encryption.js). No exportKey calls exist in the codebase; this is pure defense-in-depth against key exfiltration via Web Crypto.
• Sanitize filenames in download_ab for defense-in-depth #37 — download_ab now passes filenames through a new sanitizeFilename() helper that strips path separators (/, \), null bytes, and truncates to 255 chars.
• chore: add .dockerignore to reduce build context and improve layer caching #43 — Added .dockerignore excluding .git/, .worktrees/, docs/, app/tests/ to shrink build context and avoid busting the js-build layer cache on unrelated edits.
• chore: pin alpine base image version in Dockerfile #44 — Pinned FROM alpine → FROM alpine:3 in the fonts stage of the Dockerfile (other stages were already pinned).

Tests added

• app/tests/test-security-hardening.js — asserts ECDH extractable: false, sanitizeFilename presence and behavior in built output (9 assertions)
• app/tests/test-infra.js — asserts .dockerignore exists and excludes required paths, asserts Dockerfile pins alpine (7 assertions)

Full suite: 148/148 passing after node scripts/build.js.

Test plan

• node scripts/build.js && node --test app/tests/test-*.js — all 148 pass
• Rebased onto current main (dropped old generated app/index.html from pre-refactor commits)
• CI green (lint-go, lint-config, test-node, test-go, docker-build)
• Verify Dockerfile still builds with pinned alpine:3

Closes #36
Closes #37
Closes #43
Closes #44