fix: resolve 4 assigned a11y and security issues (#451 #452 #453 #454)

[oche11207-art]

Summary

This PR addresses all 4 issues currently assigned in the Stellar Wave program.

Issue #453 (P1 - High Priority): PropertyCard nests buttons inside <a>

• Problem: The entire card was wrapped in a <Link> with nested interactive buttons (cart, favorite, compare, view), causing axe-core nested-interactive violations and broken keyboard semantics.
• Fix: Changed outer wrapper from <Link> to <article>. Added explicit <Link> elements for the property title and View button. Removed e.preventDefault() / e.stopPropagation() calls that were only needed to suppress parent link navigation.
• Files: src/components/PropertyCard.tsx, src/components/__tests__/PropertyCard.a11y.test.tsx

Issue #454 (P3): ViewToggle buttons missing accessible name

• Problem: Buttons had no aria-label, relying only on visible text. In icon-only rendering scenarios (small screens), screen-readers lost the accessible name.
• Fix: Added aria-label="Grid view" and aria-label="List view" to both buttons. Wrapped visible text in <span> for resilient icon-only CSS targeting.
• File: src/components/ViewToggle.tsx

Issue #451 (P2): Open redirect / unsafe share URL risk

• Problem: Share URL construction used raw template strings without validation; property names with newlines or special chars could break share dialogs or be misinterpreted downstream.
• Fix: Created centralized src/utils/security/shareUrl.ts with:
  • sanitizeDisplayString() - constrains to safe character set, truncates to 200 chars
  • buildPropertyShareUrl() - validates via URL constructor, warns on cross-origin
  • buildTwitterShareUrl(), buildLinkedInShareUrl(), buildEmailShareUrl() - use URL.searchParams for proper encoding
• Files: src/utils/security/shareUrl.ts (new), src/components/property/ShareButton.tsx, src/components/MortgageCalculator.tsx

Issue #452 (P2): web-vitals & global listeners leak

• Problem: extensionDetection.ts and earlyErrorSuppression.ts registered global window event listeners and console overrides at module scope with no cleanup, causing listener accumulation across SPA navigations.
• Fix:
  • Both modules now track registered listeners/overrides in internal arrays and expose cleanup* functions
  • Console overrides are restored on cleanup
  • Created usePerformanceMonitoring React hook that ensures single PerformanceObserver instance per app lifecycle
• Files: src/utils/extensionDetection.ts, src/utils/earlyErrorSuppression.ts, src/hooks/usePerformanceMonitoring.ts (new)

Verification

• TypeScript compilation succeeds (pre-existing errors unrelated)
• PropertyCard a11y tests updated for new DOM structure
• axe-core violations eliminated (no nested interactive elements)
• URL construction validated via URL constructor
• Display strings sanitized before inclusion in share URLs
• Global listeners trackable and cleanable via lifecycle hooks

closes #451
closes #452
closes #453
closes #454