Fix SonarQube issues, store sessions in Redis, use direct analytics URLs

- ApiSandboxController: reduce scan() returns from 4 to 3 via ternary
- ApiDocController: add MIME_JSON constant, extract buildInsomniaRequest()
  and buildInsomniaBody() to reduce cognitive complexity
- Store sessions in Redis to fix SSO disconnect with 2 PHP replicas
  (round-robin load balancing caused session loss on filesystem storage)
- Configure session cookie: 24h lifetime, secure auto, samesite lax
- Replace Caddy analytics proxies (/stats/*, /assets/perf.js, /sperf)
  with direct URLs to tools-security.esy-web.dev and cloudflareinsights.com
- Update JS tests for new direct analytics URLs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/js/cookie-consent.test.js

@@ -66,7 +66,7 @@ describe('initCookieConsent', () => {
         document.getElementById('cookie-accept').click()
         const script = document.querySelector('script[data-analytics]')
         expect(script).not.toBeNull()
-        expect(script.src).toContain('/stats/script.js')
+        expect(script.src).toContain('tools-security.esy-web.dev/script.js')
         expect(script.dataset.websiteId).toBe('a1f85dd5-741f-4df7-840a-7ef0931ed0cc')
     })
 
@@ -105,7 +105,7 @@ describe('initCookieConsent', () => {
         document.getElementById('cookie-accept').click()
         const script = document.querySelector('script[data-cf-beacon]')
         expect(script).not.toBeNull()
-        expect(script.src).toContain('/assets/perf.js')
+        expect(script.src).toContain('static.cloudflareinsights.com/beacon.min.js')
     })
 
     it('does not duplicate cloudflare script', () => {