fix(ook): address code review findings from Copilot PR review

- Fix XSS: escape ASCII output in innerHTML via escapeHtml()
- Fix deadlock: use put_nowait() for queue ops under ook_lock
- Fix SSE leak: add ook to moduleDestroyMap so switching modes
  closes the EventSource
- Fix RSSI: explicit null check preserves valid zero values in
  JSON export
- Add frame cap: trim oldest frames at 5000 to prevent unbounded
  memory growth on busy bands
- Validate timing params: wrap int() casts in try/except, return
  400 instead of 500 on invalid input
- Fix PWM hint: correct to short=0/long=1 matching rtl_433
  OOK_PWM convention (UI, JS hints, and cheat sheet)
- Fix inversion docstring: clarify fallback only applies when
  primary hex parse fails, not for valid decoded frames

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

utils/ook.py

@@ -77,9 +77,11 @@ def ook_parser_thread(
     """Thread function: reads rtl_433 JSON output and emits OOK frame events.
 
     Handles the three rtl_433 hex-output field names (``codes``, ``code``,
-    ``data``) and falls back to bit-inverted parsing when the primary hex
-    parse produces no result — needed for transmitters that swap the
-    short/long pulse mapping.
+    ``data``) and, if the initial hex decoding fails, retries with an
+    inverted bit interpretation.  This inversion fallback is only applied
+    when the primary parse yields no usable hex; it does not attempt to
+    reinterpret successfully decoded frames that merely swap the short/long
+    pulse mapping.
 
     Args:
         rtl_stdout: rtl_433 stdout pipe.