fix(security): percent-encode API query parameters to prevent injection

[cursor]

Vulnerability summary

HTTP and SSE API providers built GET/DELETE URLs by concatenating query parameter keys and values without percent-encoding. Attacker-controlled parameter values containing & or = could inject additional query parameters (parameter pollution).

Affected location

• modules/ensemble/lib/framework/apiproviders/http_api_provider.dart
• modules/ensemble/lib/framework/apiproviders/sse_api_provider.dart

Security impact

Medium — An attacker who controls input that flows into API parameters (e.g., via ${userInput} in YAML) can append extra query parameters to outbound requests. This can bypass server-side filters, escalate privileges, or alter API behavior when backends use inconsistent parameter precedence.

Attack path

1. Attacker supplies input such as foo&role=admin
2. App passes it into an invokeAPI GET parameter via expression evaluation
3. Provider builds ?q=foo&role=admin&limit=10 instead of encoding the value
4. Backend receives unintended role=admin parameter

Fix approach

Introduce appendEncodedQueryParameters() using Uri.replace(queryParameters:) to merge and encode all query parameters safely.

Tests

• Added modules/ensemble/test/api_query_param_security_test.dart with regression tests for value injection, key injection, and merging with existing URL parameters.