Security improvements and API compatibility fixes (v0.3.6)

- Add recursive key sorting for response signing compatibility
- Fix IP header spoofing in rate limiting with trusted proxy support
- Add CSRF protection to CSV export with nonce verification
- Explicit Twig autoescape for XSS prevention
- Escape status values in CSS classes
- Update README with security documentation and trusted proxy config
- Update translations for v0.3.6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

templates/frontend/licenses.html.twig

@@ -12,8 +12,8 @@
                             {{ esc_html(item.product_name) }}
                         {% endif %}
                     </h3>
-                    <span class="license-status license-status-{{ item.license.status }}">
-                        {{ item.license.status|capitalize }}
+                    <span class="license-status license-status-{{ esc_attr(item.license.status) }}">
+                        {{ esc_html(item.license.status)|capitalize }}
                     </span>
                 </div>