feat: replace regex markdown with marked.js + DOMPurify

- Swap fragile regex chain for marked.js (proper GFM rendering)
- Add DOMPurify to sanitize LLM output before innerHTML injection
  (prevents XSS via prompt injection in LLM responses)
- Add CSS for markdown tables, checkboxes, and horizontal rules

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jace-ryan