fix(security): eliminate XSS vulnerabilities in mobile.html and swarm_live.html

Replace all innerHTML string interpolation with safe DOM methods
(createElement, textContent, appendChild) to prevent script injection
from user chat messages and WebSocket agent data.

Fixes: XSS-01, XSS-02

src/dashboard/templates/mobile.html

@@ -193,12 +193,17 @@ async function sendMobileMessage(event) {
             chat.scrollTop = chat.scrollHeight;
         }
     } catch (e) {
-        chat.innerHTML += `
-            <div class="chat-message timmy">
-                <div class="chat-meta">Timmy</div>
-                <div style="color: var(--danger);">Sorry, I couldn't process that. Try again?</div>
-            </div>
-        `;
+        const errDiv = document.createElement('div');
+        errDiv.className = 'chat-message timmy';
+        const errMeta = document.createElement('div');
+        errMeta.className = 'chat-meta';
+        errMeta.textContent = 'Timmy';
+        const errText = document.createElement('div');
+        errText.style.color = 'var(--danger)';
+        errText.textContent = 'Sorry, I could not process that. Try again?';
+        errDiv.appendChild(errMeta);
+        errDiv.appendChild(errText);
+        chat.appendChild(errDiv);
         chat.scrollTop = chat.scrollHeight;
     }
 }

src/dashboard/templates/swarm_live.html

@@ -176,7 +176,14 @@ function addLog(message, type = 'info') {
     
     const entry = document.createElement('div');
     entry.style.marginBottom = '4px';
-    entry.innerHTML = `<span style="color: var(--text-muted);">[${timestamp}]</span> <span style="color: ${color};">${message}</span>`;
+    const tsSpan = _el('span');
+    tsSpan.style.color = 'var(--text-muted)';
+    _t(tsSpan, '[' + timestamp + '] ');
+    const msgSpan = _el('span');
+    msgSpan.style.color = color;
+    _t(msgSpan, message);
+    entry.appendChild(tsSpan);
+    entry.appendChild(msgSpan);
     
     log.appendChild(entry);
     log.scrollTop = log.scrollHeight;