Reject replayed relay frames

[joaosa]

Summary

• track accepted inbound encrypted frame nonces for each relay channel
• close the channel before delivery when a nonce is repeated, preventing exact ciphertext replay within a live session
• export the relay crypto nonce length for channel parsing and update SECURITY.md to document live-session replay rejection

Tests

• npm run test --workspace=@getpaseo/relay -- src/encrypted-channel.test.ts --bail=1
• npm run format:files -- SECURITY.md packages/relay/src/crypto.ts packages/relay/src/encrypted-channel.ts packages/relay/src/encrypted-channel.test.ts
• npm run format:check:files -- SECURITY.md packages/relay/src/crypto.ts packages/relay/src/encrypted-channel.ts packages/relay/src/encrypted-channel.test.ts
• npm run lint -- packages/relay/src/crypto.ts packages/relay/src/encrypted-channel.ts packages/relay/src/encrypted-channel.test.ts
• npm run typecheck --workspace=@getpaseo/relay
• npm run build --workspace=@getpaseo/relay