feat: add security header profiles to bulk apply

Add support for bulk applying or removing security header profiles from multiple proxy hosts simultaneously via the Bulk Apply modal.

Features:
- New bulk endpoint: PUT /api/v1/proxy-hosts/bulk-update-security-headers
- Transaction-safe updates with single Caddy config reload
- Grouped profile selection (System/Custom profiles)
- Partial failure handling with detailed error reporting
- Support for profile removal via "None" option
- Full i18n support (en, de, es, fr, zh)

Backend:
- Add BulkUpdateSecurityHeaders handler with validation
- Add DB() getter to ProxyHostService
- 9 unit tests, 82.3% coverage

Frontend:
- Extend Bulk Apply modal with security header section
- Add bulkUpdateSecurityHeaders API function
- Add useBulkUpdateSecurityHeaders mutation hook
- 8 unit tests, 87.24% coverage

Testing:
- All tests passing (Backend + Frontend)
- Zero TypeScript errors
- Zero security vulnerabilities (Trivy + govulncheck)
- Pre-commit hooks passing
- No regressions

Docs:
- Update CHANGELOG.md
- Update docs/features.md with bulk workflow

frontend/src/api/proxyHosts.ts

@@ -105,3 +105,27 @@ export const bulkUpdateACL = async (
   });
   return data;
 };
+
+export interface BulkUpdateSecurityHeadersRequest {
+  host_uuids: string[];
+  security_header_profile_id: number | null;
+}
+
+export interface BulkUpdateSecurityHeadersResponse {
+  updated: number;
+  errors: { uuid: string; error: string }[];
+}
+
+export const bulkUpdateSecurityHeaders = async (
+  hostUUIDs: string[],
+  securityHeaderProfileId: number | null
+): Promise<BulkUpdateSecurityHeadersResponse> => {
+  const { data } = await client.put<BulkUpdateSecurityHeadersResponse>(
+    '/proxy-hosts/bulk-update-security-headers',
+    {
+      host_uuids: hostUUIDs,
+      security_header_profile_id: securityHeaderProfileId,
+    }
+  );
+  return data;
+};