Claudony Security Patch: Hardcoded Session Encryption Key Replaced with Auto-Generated Per-Deployment Key

A critical security vulnerability has been patched in the Claudony project. The production session encryption key, `%prod.quarkus.http.auth.session.encryption-key`, was discovered to be hardcoded in a public `application.properties` file. This meant every single deployment of the software was using the same shared secret, creating a severe security flaw where a compromise of one instance could potentially compromise all others.

The fix introduces a new `EncryptionKeyConfigSource`, a MicroProfile ConfigSource that automatically generates a unique 256-bit key using `SecureRandom` on the first server startup. This key is then persisted to a secure, user-restricted file (`~/.claudony/encryption-key`) and cached in memory for subsequent runs. Crucially, the configuration source keeps its `getProperties()` method empty, ensuring the sensitive key never appears in any configuration dumps or logs. The system maintains backward compatibility, as an environment variable (`QUARKUS_HTTP_AUTH_SESSION_ENCRYPTION_KEY`) can still be used to manually override the auto-generated key.

The remediation was thorough, involving multiple commits that removed the hardcoded key, implemented the new secure source with 15 unit tests, added integration tests, and ensured compatibility with native image builds. This move shifts the security posture from a static, shared secret to a dynamic, deployment-specific one, fundamentally closing a door that could have led to widespread session hijacking if the original key was ever exposed or cracked.