fix(security): resolve real CodeQL findings + upgrade vulnerable frontend deps

[Harsh-2002]

Summary

Resolves the GitHub CodeQL + Dependabot findings. Every alert was triaged against the actual code; this PR fixes the genuine ones, hardens one, and upgrades vulnerable frontend deps. The verified false-positives / by-design alerts are intentionally left as code and will be dismissed with documented reasons (see below).

Real fixes

• path-injection (functions.go rollback + builder/activate.go): code_hash from the request body flowed into a versions/<hash> filesystem path. Now validated as a 64-char lowercase-hex sha256 (its only legitimate shape) before use, with a defensive re-check in ActivateVersion. + activate_test.go.
• zipslip (builder.go extractTarGz): added the joined-path-under-destDir guard the backup extractor already uses (defense-in-depth for deploy tarballs).
• biased-random (Onboarding.vue): replaced crypto % n in the password generator + Fisher–Yates shuffle with unbiased rejection sampling.
• CI hygiene: least-privilege permissions: contents: read added to cli-e2e/e2e/install-e2e workflows → clears 10 actions/missing-workflow-permissions.
• deps: axios 1.15 → 1.17 + npm audit fix (follow-redirects, postcss) → npm audit reports 0. Supersedes Dependabot PR chore(deps): bump axios from 1.15.0 to 1.16.0 in /frontend #11.

Dismiss-as-noise (no code change — done post-merge with reasons)

backup.go zipslip + path-injection (extractor sanitizes), kv.go alloc (limit clamped ≤1000), API-key SHA256 ×2 (256-bit random token; correct), OAuth redirect ×2 (redirect_uri validated), logout cookie Secure (deletion cookie; issuers set it conditionally).

Validation

• go build/vet/test -race green (+ new activate_test.go for the hash guard).
• npm audit = 0; npm run build + make embed.
• Expected: after merge, CodeQL re-scan auto-closes the path-injection/zipslip/biased + workflow-permission alerts; Dependabot closes axios/follow-redirects/postcss.

No release — main stays ready.