fix: fully mask form-encoded sensitive values

[ioncache]

Problem

Form-encoded sensitive values are only partially masked when the value contains punctuation or URL-encoded characters. This can leave part of a secret visible even though the field name matched a default sensitive pattern.

Observed behavior

After yarn build, probing the built package showed:

sanitizeData('password=abc-123&username=mark')
=> 'password=**********-123&username=mark'

sanitizeData('password=a%2Bb%2Fc&username=mark')
=> 'password=**********%2Bb%2Fc&username=mark'

The secret suffix remains visible after the mask.

Expected behavior

Matched form-encoded fields should mask or remove the full field value up to the field delimiter, including punctuation and URL-encoded characters.

password=abc-123&username=mark
=> password=**********&username=mark

password=a%2Bb%2Fc&username=mark
=> password=**********&username=mark

Relevant files

• src/matchers.ts — formEncodedMatcher masking regex currently stops too early for punctuation-bearing values.
• src/replacers.ts — replacement behavior applies matcher capture groups.
• test/matchers.test.ts and test/replacers.test.ts — add coverage for punctuation and URL-encoded form values.
• README.md — public contract says form-encoded strings and URL-encoded-like values are supported.

Acceptance criteria

• Sensitive form values containing -, %, +, /, ., :, or similar non-delimiter punctuation are fully masked.
• Removal mode still removes complete matched fields and leaves clean delimiters.
• Existing matcher and replacer tests remain green.
• Add regression tests covering punctuation and URL-encoded values.