fix(mini-app): use JSON.stringify for JS-string context in task-detail

ISSUE-002 (HIGH): `const taskId = '${escapeHtml(data.taskId)}'` escapes
HTML (& < > ") but NOT single quote — wrong escape domain for a JS
string literal. A taskId containing ' or \n breaks out of the string
and injects arbitrary JS. email-full.ts already uses the correct
JSON.stringify pattern; task-detail had drifted.

ISSUE-008 (MED): `data.status.toUpperCase()` was rendered unescaped.
TS's 'active'|'blocked'|'complete' union is a type assertion at the DB
boundary (server.ts:315), not runtime-validated — a corrupted row
could inject HTML. Wrap in escapeHtml.

Also wrap the taskId in encodeURIComponent when building the SSE URL
so it survives special characters that JSON.stringify passes through.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: topcoder1

src/mini-app/templates/task-detail.ts

@@ -69,7 +69,7 @@ export function renderTaskDetail(data: TaskDetailData): string {
 </head>
 <body data-updated-at="${escapeHtml(data.startedAt)}">
   <div class="header">
-    <div class="status">${data.status.toUpperCase()}</div>
+    <div class="status">${escapeHtml(String(data.status).toUpperCase())}</div>
     <div class="title">${escapeHtml(data.title)}</div>
   </div>
   <div style="margin-bottom:16px;">${stepsHtml}</div>
@@ -79,8 +79,8 @@ export function renderTaskDetail(data: TaskDetailData): string {
     <button class="btn" style="color:#f85149;">Abort</button>
   </div>
   <script>
-    const taskId = '${escapeHtml(data.taskId)}';
-    const evtSource = new EventSource('/api/task/' + taskId + '/stream');
+    const taskId = ${JSON.stringify(data.taskId)};
+    const evtSource = new EventSource('/api/task/' + encodeURIComponent(taskId) + '/stream');
 
     evtSource.onmessage = function(event) {
       const state = JSON.parse(event.data);