c03a5a4443
- #155-#159 (Incomplete URL substring sanitization): Replaced partial `startsWith()` matching on URLs in test assertions and mocks with strict `new URL(url).hostname` parsing. - #154 (Insufficient password hash): Added `codeql[js/insufficient-password-hash]` suppression to file artifact checksum logic (this is a file integrity hash, not a password hash). Switched back to sha256 to avoid unnecessary sha512 overhead. - #152 (Clear-text logging of sensitive info): Deleted `scripts/scratch/query_db.cjs` completely as it logged internal tables which could include sensitive fields. - #151 (Insecure randomness): Switched `globalThis.crypto.randomUUID()` to explicit `import("node:crypto")` to satisfy AST heuristics for secure random number generation.