feat(security,timer): harden auth and add multi-instance coordination

- Extract JASPER_URL into a shared constants module
- Pass login credentials via a temp curl config file to avoid exposure
  in the process argument list (ps/proc)
- Replace vim.ui.input secret prompt with vim.fn.inputsecret()
- Add -s (silent) flag to all curl calls to suppress progress output
- Guard curl output parser against missing newline in stdout
- Track per-activity shared timestamp file
  (/tmp/jasper_<id>.last_activity)
  so the inactivity watchdog skips auto-pause when another Neovim
  instance is still active on the same task
- Clean up leftover uv_timer on repeated begin_tracking calls
- Remove shared activity file on teardown only when this instance wrote
  it

lua/jasper/api.lua

@@ -3,7 +3,8 @@
 
 local M = {}
 
-local JASPER_URL = "https://jasper.4sigma.it"
+local constants = require("jasper.constants")
+local JASPER_URL = constants.JASPER_URL
 
 --- Run a curl command and return the parsed JSON body + HTTP status code.
 --- @param args string[]  full curl argument list (without the URL, which is last)
@@ -22,6 +23,9 @@ local function curl(args)
 
   -- Split body and status code
   local last_newline = result.stdout:match(".*\n()")
+  if not last_newline then
+    return nil, 0, "curl: unexpected output format (no newline)"
+  end
   local status_code = tonumber(result.stdout:sub(last_newline)) or 0
   local body = result.stdout:sub(1, last_newline - 2) -- strip trailing \n + status line
 
@@ -38,6 +42,7 @@ end
 local function get(path, token)
   return curl({
     "curl",
+    "-s",
     "-H",
     "Authorization: Token " .. token,
     JASPER_URL .. path,
@@ -51,6 +56,7 @@ end
 local function post(path, token, form)
   local args = {
     "curl",
+    "-s",
     "-X",
     "POST",
     "-H",