Fix XSS, add per-step timeout/retry to workflow engine

index.html:
- Escape started_by in execution list, execution cards, and execution detail modal
- Escape schedule name in schedules list

server.js:
- Per-step timeout: step.timeout (seconds) overrides global COMMAND_TIMEOUT_MS (5s-600s range)
- Per-step retry: step.retries (max 5) with step.retryDelayMs (max 30s) re-sends command on failure
  with command_retry log entries showing attempt/max_retries progress

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

public/index.html

@@ -1343,7 +1343,7 @@
                             <div class="workflow-item" style="opacity: ${s.enabled ? 1 : 0.6};">
                                 <div style="display: flex; justify-content: space-between; align-items: start;">
                                     <div style="flex: 1;">
-                                        <div class="workflow-name">${s.name}</div>
+                                        <div class="workflow-name">${escapeHtml(s.name || '')}</div>
                                         <div style="color: var(--terminal-green); font-family: var(--font-mono); font-size: 0.9em; margin: 8px 0;">
                                             Command: <code>${escapeHtml(s.command)}</code>
                                         </div>
@@ -1529,7 +1529,7 @@
                             <div class="execution-item" onclick="viewExecution('${e.id}')">
                                 <span class="status ${e.status}">${e.status}</span>
                                 <strong>${e.workflow_name || '[Quick Command]'}</strong>
-                                <div class="timestamp">by ${e.started_by} at ${safeDate(e.started_at)?.toLocaleString() ?? 'N/A'}</div>
+                                <div class="timestamp">by ${escapeHtml(e.started_by || '')} at ${safeDate(e.started_at)?.toLocaleString() ?? 'N/A'}</div>
                             </div>
                         `).join('');
                     document.getElementById('dashExecutions').innerHTML = dashHtml;
@@ -1655,7 +1655,7 @@
                             <span class="status ${e.status}">${e.status}</span>
                             <strong>${e.workflow_name || '[Quick Command]'}</strong>
                             <div class="timestamp">
-                                Started by ${e.started_by} at ${safeDate(e.started_at)?.toLocaleString() ?? 'N/A'}
+                                Started by ${escapeHtml(e.started_by || '')} at ${safeDate(e.started_at)?.toLocaleString() ?? 'N/A'}
                                 ${e.completed_at ? ` • Completed at ${safeDate(e.completed_at)?.toLocaleString() ?? 'N/A'}` : elapsed}
                             </div>
                         </div>
@@ -1996,7 +1996,7 @@
                     <div><strong>Status:</strong> <span class="status ${execution.status}">${execution.status}</span></div>
                     <div><strong>Started:</strong> ${safeDate(execution.started_at)?.toLocaleString() ?? 'N/A'}</div>
                     ${execution.completed_at ? `<div><strong>Completed:</strong> ${safeDate(execution.completed_at)?.toLocaleString() ?? 'N/A'}</div>` : ''}
-                    <div><strong>Started by:</strong> ${execution.started_by}</div>
+                    <div><strong>Started by:</strong> ${escapeHtml(execution.started_by || '')}</div>
                 `;
                 
                 if (execution.waiting_for_input && execution.prompt) {