feat: add sensitive data redaction to export (Phase C)

Server-side regex redaction masks IPs, emails, bearer/API tokens, and
UNC paths in exported session content. Redaction runs post-generation
and post-variable-resolution with fail-closed error handling. Frontend
gets a "Mask Sensitive Data" toggle in the export preview modal with
a summary of what was redacted. 24 unit tests passing, frontend build clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/schemas/session.py

@@ -92,6 +92,8 @@ class SessionExport(BaseModel):
     # Phase B
     include_summary: bool = False
     detail_level: Literal["standard", "full"] = "standard"
+    # Phase C
+    redaction_mode: Literal["none", "mask"] = "none"
 
 
 class SessionComplete(BaseModel):