P0-1: JWT secret hardcoded fallback (src/lib/auth.js)
- Remove insecure hardcoded default 'eternalai_jwt_secret_2026_change_in_prod'
- Fail-fast in production: throw error if JWT_SECRET env var is missing
- Dev/test: print security warning and use dev-only temporary secret
P0-2: Stored XSS via innerHTML (app.js)
- Add escapeHtml() utility function (escapes & < > " ')
- Escape all user-controlled data in innerHTML templates:
- Role library list (id, displayName, desc, avatar, price)
- Creator center role list (id, displayName, avatar, status)
- Role detail price
- Income records (role, time)
- Error messages in catch blocks
All 35 E2E tests pass.