Fix: trailing-slash 301 redirects downgrading https to http (#217)

[mdorf]

Summary

Fixes #217. Behind a TLS-terminating proxy under Rack 3, request.scheme returns http because X-Forwarded-Proto is no longer auto-trusted. Sinatra's redirect helper was expanding the relative target to an absolute URL using that scheme, so https:// requests with a trailing slash got Location: http://... and were blocked as mixed content by browsers (e.g. biomixer's /paths_to_root/ calls from bioportal.bioontology.org).

• Build the redirect URL explicitly in a helper, reading X-Forwarded-Proto for the scheme and falling back to request.scheme when the header is absent or not http/https.
• Host stays request.host_with_port. X-Forwarded-Host is not read — it isn't needed for the fix, and trusting it would widen the open-redirect surface if a proxy ever passed client-supplied values through.
• Also includes a Gemfile.lock bump for ncbo_cron and ontologies_linked_data (unrelated to this fix; carried over from the branch base).

Test plan

Regression tests in test/controllers/test_home_controller.rb cover:

• forwarded https scheme is preserved in Location
• missing X-Forwarded-Proto falls back to request.scheme
• invalid X-Forwarded-Proto (e.g. javascript) falls back to request.scheme
• chained X-Forwarded-Proto: https, http uses the leftmost (client-facing) value
• URL-encoded path segments (%3A/%2F in the class IRI from the issue's repro) round-trip through the redirect unchanged
• query string is preserved on the redirect target

Verify in staging by curling a trailing-slash URL through the proxy and confirming location: https://... in the 301 response.