Replace eval-based JS interop with dedicated JS module

[PureWeen]

Problem

The codebase has ~30 instances of \JS.InvokeVoidAsync("eval", $"...");\ across Dashboard.razor, Settings.razor, SessionSidebar.razor, ExpandedSessionView.razor, MainLayout.razor, and SessionListItem.razor. This pattern:

1. XSS risk: Several calls interpolate C# values directly into JS strings (e.g. \$"...'{inputId}'...", \$"...'{dataTheme}'..."). If any value originates from user input, it could inject arbitrary JS.
2. Prompt injection surface: Dashboard.razor sends user prompts through eval-based JS interop in the orchestrator routing path.
3. Maintainability: Inline JS strings are hard to debug, lint, or test.

Proposed Fix

Create a dedicated \wwwroot/js/polypilot-interop.js\ module with named functions:
\\js
export function portalElement(selector) { ... }
export function setThemeAttribute(theme) { ... }
export function focusAndSetValue(elementId, value) { ... }
\\

Then call via \JS.InvokeVoidAsync("portalElement", selector)\ — parameterized, no eval, no injection.

Scope

~30 eval calls across 6 files. Can be done incrementally per-file.

Found during multi-model review of PR #205.