Security improvements and API compatibility fixes (v0.3.6)

- Add recursive key sorting for response signing compatibility
- Fix IP header spoofing in rate limiting with trusted proxy support
- Add CSRF protection to CSV export with nonce verification
- Explicit Twig autoescape for XSS prevention
- Escape status values in CSS classes
- Update README with security documentation and trusted proxy config
- Update translations for v0.3.6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

templates/admin/licenses.html.twig

@@ -1,6 +1,6 @@
 <div class="wrap">
     <h1 class="wp-heading-inline">{{ __('Licenses') }}</h1>
-    <a href="{{ admin_url }}?action=export_csv" class="page-title-action">
+    <a href="{{ export_csv_url() }}" class="page-title-action">
         <span class="dashicons dashicons-download" style="vertical-align: middle;"></span>
         {{ __('Export CSV') }}
     </a>
@@ -143,8 +143,8 @@
                             </td>
                             <td class="wclp-editable-cell" data-field="status" data-license-id="{{ item.license.id }}">
                                 <span class="wclp-display-value">
-                                    <span class="license-status license-status-{{ item.license.status }}">
-                                        {{ item.license.status|capitalize }}
+                                    <span class="license-status license-status-{{ esc_attr(item.license.status) }}">
+                                        {{ esc_html(item.license.status)|capitalize }}
                                     </span>
                                 </span>
                                 <button type="button" class="wclp-edit-btn button-link" title="{{ __('Edit') }}">