Bind optimized HLS base/data segment tokens

[Bladestar2105]

Motivation

• A security issue allowed replay/mix-and-match of split HLS encrypted base and data blobs, letting attackers combine headers/safety flags from one playlist with a URL from another to bypass isSafeUrl and exfiltrate/internal-request sensitive data.
• The change must preserve the optimized split format while preventing cross-playlist token recombination.

Description

• Generate a per-playlist bindingId (b) in the HLS rewriting paths (proxyLive and proxyTimeshift) and include it in both the encrypted base and per-segment data payloads in src/controllers/streamController.js.
• Validate in proxySegment that when a base is supplied the decrypted data.b matches the base.b, returning HTTP 400 on missing/mismatched binding, while keeping legacy single-payload (data only) behavior intact.
• Add/update targeted tests in tests/performance/segment_encryption.test.js to include binding-aware optimized payloads and a negative test that ensures mismatched bindings are rejected.

Testing

• Added/updated tests/performance/segment_encryption.test.js to cover legacy, optimized, and mismatched-binding cases (new negative test asserts 400 for mismatch).
• Attempted to run the targeted suite with npm exec vitest run tests/performance/segment_encryption.test.js but the run failed in this environment due to missing native better-sqlite3 bindings (better_sqlite3.node), so the test suite could not execute here.
• The fix is minimal and localized to src/controllers/streamController.js and the added assertions, preserving existing behaviors; please run CI (or npm exec vitest ...) in an environment with better-sqlite3 native bindings to verify tests pass.

---

Codex Task