feat: Implement basic web search UI in serve.py

[oasis-parzival]

Closes #4

This PR adds a simple, self-contained web UI to the serve.py application, allowing users to perform searches directly through a browser. The UI is implemented with inline HTML, CSS, and JavaScript to avoid any external dependencies or build processes, focusing on a clean and functional design similar to Hacker News. It directly calls the existing /search endpoint and displays results in a readable list format.

[MakiDevelop]

Thanks for the contribution! Idea is welcome (issue #4) but there's a security issue that blocks merge plus a few rough edges:

🔴 Critical — Stored XSS via innerHTML

resultDiv.innerHTML = `
    <div class="score">Score: ${result.signal_score.toFixed(3)}</div>
    <div class="route">Route: ${result.route}</div>
    <div>Title: ${result.title}</div>
    <div>Core Insight: ${result.core_insight}</div>
`;

result.title / result.core_insight come from rewritten external pages (this is exactly what the pipeline ingests). A malicious page can inject <script> or <img onerror> that survives ingestion → executed in the browser when user searches.

Fix: use textContent per field, or escape via a helper:

function el(tag, cls, text) {
    const e = document.createElement(tag);
    if (cls) e.className = cls;
    if (text != null) e.textContent = text;
    return e;
}

resultDiv.appendChild(el('div', 'score', `Score: ${result.signal_score.toFixed(3)}`));
resultDiv.appendChild(el('div', 'route', `Route: ${result.route}`));
resultDiv.appendChild(el('div', null, `Title: ${result.title}`));
resultDiv.appendChild(el('div', null, `Core Insight: ${result.core_insight}`));

🟡 Other issues

1. Query not URL-encoded — fetch(\/search?q=${query}`)breaks on&, #, +. Use encodeURIComponent(query)`.
2. No error handling — if /search fails, page silently does nothing. Wrap in try/catch and show an error div.
3. No clickable URL — users likely want to jump to the original source. Add result.url as an <a target="_blank" rel="noopener noreferrer">.
4. Empty query — server returns 400 but UI just shows "No results found." Consider client-side guard.

Path forward

Fix #1 (XSS) — that's the blocker. Items 2-4 are nice-to-have but #2 (encoding) is also a real bug that will frustrate testing.