fix: deep link injection, missing AuthGuard on sensitive routes, and SSRF in ActionsService.send$()

[Copilot]

Three high-severity security vulnerabilities in the deep link handler, route guards, and Bubble API client.

Deep link injection (app.component.ts)

The previous handler split on .app and passed the tail directly to router.navigateByUrl() — no host validation, no parameter stripping, no route allowlist.

// Before — fully injectable
const slug = event.url.split('.app').pop();
if (slug) this.router.navigateByUrl(slug);

// After — validated, sanitised, allowlisted
const parsedUrl = new URL(event.url);
if (parsedUrl.hostname !== AppComponent.DEEP_LINK_HOST) return;
const pathname = parsedUrl.pathname
  .split('/').map(segment => segment.split(';')[0]).join('/');
if (pathname.includes('..')) return;
const isAllowed = AppComponent.ALLOWED_DEEP_LINK_ROUTES.some(
  prefix => pathname === prefix || pathname.startsWith(`${prefix}/`)
);
if (pathname && isAllowed) this.router.navigateByUrl(pathname);

Changes: strict hostname check (capture-cam-deep-links.web.app), matrix-parameter stripping per segment, path-traversal guard, and an explicit route allowlist.

Missing AuthGuard on sensitive routes (app-routing.module.ts)

Six routes had no canActivate guard, making them reachable by unauthenticated users — including via crafted deep links:

• wallets — wallet balances / key material
• contacts — user contact list
• media-viewer/:src — arbitrary user-controlled URL as route param
• invitation, data-policy, terms-of-use

Added canActivate: [AuthGuard] to all six.

SSRF vector in ActionsService.send$() (actions.service.ts)

send$(url, body) accepted an arbitrary URL and issued an unauthenticated POST with no restrictions. Now validates the target starts with a known Bubble API base URL (BUBBLE_DB_URL or BUBBLE_API_URL); any other target throws Error: Request to disallowed URL: <url>.