fix: call system bugs and security hardening

- CallEmbed: fix memory leak — mx event listeners were never removed
  because dispose() called .bind(this) again, creating new function
  objects. Now uses arrow class fields so start()/dispose() share the
  exact same reference.
- callPreferences: toggleVideo is a no-op when cameraOnJoin=false,
  preventing internal state drift from the returned value.
- CallControls: PTT key guard now blocks on SELECT elements and walks
  the DOM for inherited contentEditable to prevent key interception
  inside dropdowns and custom editors.
- RoomInput: GIF fetch validates Giphy CDN domain allow-list,
  HTTP Content-Type header, and enforces 20 MB size cap.

src/app/state/hooks/callPreferences.ts

@@ -36,6 +36,7 @@ export const useCallPreferences = (): CallPreferences & {
   }, [setPref, pref]);
 
   const toggleVideo = useCallback(() => {
+    if (!cameraOnJoin) return;
     const video = !pref.video;
 
     setPref({
@@ -43,7 +44,7 @@ export const useCallPreferences = (): CallPreferences & {
       video,
       sound: pref.sound,
     });
-  }, [setPref, pref]);
+  }, [setPref, pref, cameraOnJoin]);
 
   const toggleSound = useCallback(() => {
     const sound = !pref.sound;