Fix path injection, sensitive attribute exposure, and error body truncation

Security fixes from audit:

- Escape user-supplied strings (ext_relation_id, interface_name) with
  url.PathEscape before interpolating into API URL paths, preventing
  path traversal via crafted values like "../admin" or "foo/bar"
- Mark auth token URL attributes as Sensitive in both
  virtfusion_user_auth_token and virtfusion_user_server_auth_token
  resources, since the URL embeds the signed token
- Truncate raw API error response bodies to 500 bytes in error messages
  to prevent leaking sensitive data from verbose Laravel error responses

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/client/errors.go

@@ -13,12 +13,21 @@ type APIError struct {
 	Errors     map[string][]string
 }
 
+// maxErrorBodyLen is the maximum number of bytes from the API response body
+// to include in error messages, to avoid leaking sensitive data from verbose
+// error responses.
+const maxErrorBodyLen = 500
+
 func (e *APIError) Error() string {
 	if len(e.Errors) > 0 {
 		return fmt.Sprintf("VirtFusion API error %d (%s): %v", e.StatusCode, e.Status, e.Errors)
 	}
 	if e.Body != "" {
-		return fmt.Sprintf("VirtFusion API error %d (%s): %s", e.StatusCode, e.Status, e.Body)
+		body := e.Body
+		if len(body) > maxErrorBodyLen {
+			body = body[:maxErrorBodyLen] + "... (truncated)"
+		}
+		return fmt.Sprintf("VirtFusion API error %d (%s): %s", e.StatusCode, e.Status, body)
 	}
 	return fmt.Sprintf("VirtFusion API error %d (%s)", e.StatusCode, e.Status)
 }