feat: add sensitive data redaction to export (Phase C)

Server-side regex redaction masks IPs, emails, bearer/API tokens, and
UNC paths in exported session content. Redaction runs post-generation
and post-variable-resolution with fail-closed error handling. Frontend
gets a "Mask Sensitive Data" toggle in the export preview modal with
a summary of what was redacted. 24 unit tests passing, frontend build clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/src/types/session.ts

@@ -85,6 +85,15 @@ export interface SessionExport {
   max_step_index?: number
   include_summary?: boolean
   detail_level?: 'standard' | 'full'
+  redaction_mode?: 'none' | 'mask'
+}
+
+export interface RedactionSummary {
+  ips: number
+  emails: number
+  tokens: number
+  unc_paths: number
+  total: number
 }
 
 export interface SessionComplete {