fix: misc security and correctness fixes

[deer]

• Response.removeHeader(String) added as a default no-op; HttpResponse overrides it via getResponseHeaders().remove(); SecurityHeadersMiddleware uses it instead of setting headers to "" so suppressed headers are actually absent from responses
• containsTraversal check removed from StaticFileHandler — Path.normalize() resolves .. before the contains("..") test, making it dead code; the real protection is the startsWith guard in handleDirectory
• BasicAuthStrategy constructor rejects realm values containing ", \r, or \n with IllegalArgumentException to prevent WWW-Authenticate header injection
• GraphiQlHandler.escapeJs() helper added; escapes \, ', \r, \n before substituting the endpoint into the JS string literal
• ChromeDevToolsHandler.forWorkspace() logs a WARNING at call time noting that it exposes the absolute filesystem path
• JsonErrorHandler.statusText() extended with 413 and 429; stripControlChars() added and applied to HttpException messages to prevent CRLF injection in JSON error bodies
• SseEvent compact constructor validates data is non-null
• AuthStrategy.anyOf changed from a lambda to an anonymous class that overrides challenge() to join all delegates' challenges with ", " so the composite WWW-Authenticate header reflects all active schemes
• LspTransport.tcp() catches SocketException from accept() and breaks cleanly; the enclosing try-with-resources releases the ServerSocket