Security, performance, bug fixes, and TDS improvements

Security:
- HIGH-1: Validate hex color format before CSS interpolation in sanitize.ts
- HIGH-5: Add sandbox attribute to OpenStreetMap iframe
- MED-1: Fix permissive URL scheme regex in LINKIFY_OPTS
- MED-3/HIGH-4: Add .js.map blocking + CSP header to nginx config
- LOW-2: Validate OIDC authUrl scheme before window.open
- Accessibility: Remove maximum-scale=1.0 from viewport meta (WCAG 1.4.4)

Performance:
- O(1) Map index in computePositions (was O(M×T) findIndex per member)
- Add RoomMemberEvent.Membership subscription so positions update on join/leave
- Fix uncleaned 2000ms setTimeout in RoomTimeline useLayoutEffect

Bug fixes:
- BUG-5: Add QUEUED/CANCELLED cases to DeliveryStatus component
- BUG-6: Guard DeliveryStatus against state events via isState() check
- BUG-10: Clamp PiP position on window resize
- BUG-14: Separate runLotusBootSequence into dedicated useEffect([lotusTerminal])
- Fix aria-live on typing indicator (WCAG 4.1.3)
- Add aria-label + aria-multiline to message editor

TDS (Lotus Terminal Design System):
- Add reaction chip styles (dark + light mode)
- Add GIF picker CSS via globalStyle instead of runtime injection
- Add URL preview styles (dark + light mode)
- Add complete GIF picker light-mode TDS block (was missing)

src/app/components/CallEmbedProvider.tsx

@@ -431,6 +431,20 @@ export function CallEmbedProvider({ children }: CallEmbedProviderProps) {
     }
   }, [pipMode, callVisible]);
 
+  React.useEffect(() => {
+    if (!pipMode) return;
+    const onPipWindowResize = (): void => {
+      const el = callEmbedRef.current;
+      if (!el) return;
+      const l = parseFloat(el.style.left);
+      const t = parseFloat(el.style.top);
+      if (!isNaN(l)) el.style.left = `${Math.max(0, Math.min(l, window.innerWidth - el.offsetWidth))}px`;
+      if (!isNaN(t)) el.style.top = `${Math.max(0, Math.min(t, window.innerHeight - el.offsetHeight))}px`;
+    };
+    window.addEventListener('resize', onPipWindowResize);
+    return () => window.removeEventListener('resize', onPipWindowResize);
+  }, [pipMode, callEmbedRef]);
+
   const handlePipMouseDown = (e: React.MouseEvent) => {
     const el = callEmbedRef.current; if (!el) return;
     const rect = el.getBoundingClientRect();

src/app/components/editor/Editor.tsx

@@ -140,6 +140,8 @@ export const CustomEditor = forwardRef<HTMLDivElement, CustomEditorProps>(
                 data-editable-name={editableName}
                 className={css.EditorTextarea}
                 placeholder={placeholder}
+                aria-label={placeholder ?? 'Message input'}
+                aria-multiline="true"
                 renderPlaceholder={renderPlaceholder}
                 renderElement={renderElement}
                 renderLeaf={renderLeaf}

src/app/components/message/MsgTypeRenderers.tsx

@@ -410,6 +410,7 @@ export function MLocation({ content }: MLocationProps) {
         }}
         scrolling="no"
         loading="lazy"
+        sandbox="allow-scripts allow-same-origin"
       />
       <Text size="T300" style={{ opacity: 0.65 }}>
         {`${lat.toFixed(5)}, ${lon.toFixed(5)}`}