Adds SureTextField, the form-control primitive following SureButton in the
mobile design-system sequence: a TextFormField wrapper that builds a complete,
brightness-aware InputDecoration from the active SureColors palette (filled
bg-container, borderSecondary hairline -> borderPrimary on focus, destructive
error border, textSubdued placeholder, radiusLg corners) with a DS-style label
rendered above the field and associated to it for screen readers (Material
labelText parity via ExcludeSemantics + Semantics(label:)).
Migrates the custom proxy-headers editor off raw TextFormField as proof.
Filter chips and a segmented control will follow as separate PRs.
Part of #2235.
* Add mobile custom proxy headers
* Clear login placeholders on focus
Email/password fields ship with example values pre-filled. Tapping the
field now clears the placeholder so users don't have to delete it
manually. Skips clearing if the user has already edited the value.
* Push Configuration as a route from Sign in
Opening Configuration from the Sign in screen now uses Navigator.push
instead of toggling a state flag, so Android back returns to Sign in
instead of quitting the app. Saving the URL auto-pops the route.
* Address PR review on custom proxy headers
- Test Connection no longer leaves global ApiConfig headers mutated;
unsaved edits are restored in a finally block after the probe.
- _loadSavedUrl / _loadCustomHeaders wrap storage reads in try/catch and
always finish initialization with sensible defaults.
- Sanitization is now a single CustomProxyHeader.sanitize() reused by
ApiConfig.setCustomProxyHeaders and CustomProxyHeadersService.
- Brief comment on redactedValue explaining the length-obscuring design.
* Harden custom proxy header validation and load path
- validateValue now rejects ASCII control characters (CR/LF/tab/etc.)
to prevent header-injection via crafted values.
- loadHeaders moves the secure-storage read inside the try block so
platform exceptions are caught the same way JSON parse errors are.