fix: address CodeQL code scanning alerts

[markwylde]

Summary

• Restrict GitHub workflow token permissions to read-only contents access.
• Replace brittle sanitizer patterns by rejecting SVG branding uploads, validating branding image settings, and parsing demo note previews to safe text.
• Harden auth/network alert surfaces: unbiased trusted-device codes, bounded bearer parsing, broader OIDC discovery SSRF checks, and non-credentialed loopback-only demo CORS.

Verification

• npx --yes github-actionlint@latest .github/workflows/pr-checks.yml .github/workflows/deploy.yml .github/workflows/test.yml
• pnpm --filter @DarkAuth/api exec node --env-file-if-exists=../../.env --test src/models/passwordResetTokens.test.ts src/services/branding.test.ts src/controllers/usersDirectory.test.ts src/models/federation.test.ts src/models/trustedDevices.test.ts
• pnpm --filter @DarkAuth/demo-app exec node --disable-warning=ExperimentalWarning --experimental-transform-types --test server/src/createServer.test.ts tests/noteContent.test.ts
• pnpm --filter @DarkAuth/test-suite exec playwright test tests/admin/branding/branding.spec.ts --list
• git diff --check
• pnpm tidy
• pnpm build

Notes

• Password reset tokens are high-entropy random bearer tokens, so the CodeQL password-hash alert is a false positive as a password issue. The verifier remains keyed with the configured KEK passphrase and now fails closed if the pepper is missing.
• Federation discovery still has the usual native-fetch DNS rebinding TOCTOU limitation because fetch resolves after the preflight DNS check; this PR expands prefetch blocking and keeps redirects disabled.
• pnpm tidy passes but continues to report existing Biome schema/deprecation infos and unrelated existing lint warnings.