Security: Address remaining CodeQL alert gaps from #3164 implementation

[mrveiss]

Context

During implementation of #3164 (PRs #3182, #3183, #3204), several gaps and behavioral changes were discovered that need follow-up.

Remaining CodeQL alerts (not addressed)

1. py/clear-text-storage-sensitive-data (~5 alerts)

• autobot-backend/services/trigger_service.py:896 — stores HMAC webhook secrets in Redis as plain text via redis.setex()
• autobot-backend/api/secrets.py:351 — writes secrets to JSON files via json.dump() without encryption
• Fix: Encrypt secrets at rest using Fernet/AES before storing in Redis and on disk

2. py/clear-text-logging-sensitive-data (~55 alerts)

• CodeQL flags log lines containing variable names like token, password, secret across ~35 files
• All are false positives — they log metadata (IDs, names, error messages), not actual secret values
• Fix: Add # codeql-suppress py/clear-text-logging-sensitive-data inline comments with explanations to suppress false positives and reduce alert noise

3. py/insecure-protocol (~4 alerts)

• All http:// URLs are for internal service-to-service communication (Ollama, NPU worker, ChromaDB, backend health checks)
• Internal HTTP on private networks is intentional design
• Fix: Add # codeql-suppress py/insecure-protocol comments, or make scheme configurable via ssot_config (e.g., config.get_scheme('ollama'))

4. py/command-line-injection (~3 alerts)

• elevation_wrapper.py:154 — create_subprocess_shell(command) — intentional command execution
• utils/terminal_websocket_manager.py:223 — subprocess.Popen — terminal emulator
• intelligence/streaming_executor.py:412 — create_subprocess_exec(*cmd_parts) — AI executor
• Fix: These are by design. Add suppression comments documenting the authorization model.

Behavioral changes from PRs that need verification

5. Auth token sessionStorage migration (PR #3183)

• Moved SLM frontend auth tokens from localStorage to sessionStorage
• Impact: Users must re-login after closing browser tabs
• Gap: LoginView.vue and SSOCallbackView.vue write to sessionStorage but some code paths may still read from localStorage only
• Verify: Grep for all localStorage.getItem('slm_access_token') and ensure they fall back to sessionStorage

6. Analytics slug regex relaxation (PR #3204)

• Removed lookaheads (?=.*[a-z])(?=.*\d) from analytics_controller.py slug detection to fix ReDoS
• Impact: Regex now matches pure-alpha or pure-numeric slugs ≥8 chars (e.g., abcdefgh, 12345678) that were previously excluded
• Verify: Check if this causes false positives in analytics URL normalization

Discovered during

PRs #3182, #3183, #3204 implementing #3164

[mrveiss]

Items 5 and 6 from this issue have been resolved:

• Item 5 (sessionStorage migration): Fixed in PR fix(security): resolve ~14 JavaScript CodeQL alerts (#3164) #3183 commit 58c139719 — migrated all 14 remaining localStorage.getItem('slm_access_token') calls to sessionStorage across composables, components, router, and views.
• Item 6 (Analytics slug regex): Fixed in PR fix(security): resolve Python warning-severity CodeQL alerts (#3164) #3204 commit d999c1499 — restored bounded lookaheads (?=[a-z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}\d) to preserve the "both letters AND digits" semantics while still preventing ReDoS.

Items 1–4 (clear-text storage, logging suppressions, insecure protocol, command-line injection) remain open.