fix(security): batch close 4 GitHub security alerts (SMI-4499/4501/4502/4504)

SMI-4499 (Dependabot #91, critical) — re-add `protobufjs: ^7.5.5` global
override. Originally added in SMI-4248 (#607), dropped in SMI-4250 (#610) on
the assumption that only ruflo (dev-only) still pulled sub-7.5.5. That was
incorrect — `@claude-flow/aidefence@3.0.2` (a production dep) reaches it via
`@xenova/transformers > onnxruntime-web > onnx-proto@4.0.4 → protobufjs@^6.11.0`.
`onnx-proto` declares a caret (not exact-pin) so flat override resolves.

SMI-4501 (Dependabot #95, medium) — add `uuid: ^14.0.0` global override.
Three chains affected (gcp-metadata > gaxios, ruflo plugin, @azure/msal-node).
All resolve cleanly post-install. v14 dropped `_default` export and finalized
the parse/stringify deprecation; v4() API used by all three callers is
unchanged.

SMI-4502 (CodeQL #79/#80, high) — replace `Math.random` in
`integration-tools.stub.ts` with `crypto.randomBytes`. Stub is re-exported
from `integration-tools.ts:18` and ships in published @skillsmith/mcp-server,
so production callers were receiving predictable secrets. Output format
preserved (32 hex chars for whsec_*, 40 base64url chars for sk_int_*); all
existing mcp-server tests pass without modification.

SMI-4504 (CodeQL #85, high → false positive) — replace inert
`lgtm[js/insufficient-password-hash]` annotation with the GitHub-recognized
`codeql[...]` form. The lgtm annotation has been silently no-op since the
LGTM.com→GHAS migration. Telemetry actor-ID derivation via HMAC-SHA-256 is
not password storage; rationale doc-comment unchanged. UI dismissal of the
alert will follow once next CodeQL CI scan confirms the codeql[] form
suppresses it.

Verification:
- npm install -> overrides applied (protobufjs@7.5.5 deduped on all chains;
  uuid@14.0.0 deduped on all chains; verified via `npm ls protobufjs` and
  `npm ls uuid`)
- npm audit --omit=dev -> only astro <6.1.6 remaining (PR-2 scope, SMI-4500)
- npm run lint -> clean
- npm run typecheck -> clean
- npm test (core) -> 3539/3541 (2 skipped, baseline)
- npm test (mcp-server) -> 603/610 (7 todo, baseline)
- npm run audit:standards -> 50 pass / 5 warns (baseline) / 0 fail
- npm run format:check -> clean

Note: the protobufjs override re-add is structurally NOT a regression of
SMI-4250's bundle-removal cleanup. SMI-4250 collapsed the otel duplicate
chain; this restores defense-in-depth coverage for an unrelated production
dep (aidefence) that wasn't accounted for in 4250's analysis.

Linear:
- https://linear.app/smith-horn-group/issue/SMI-4499
- https://linear.app/smith-horn-group/issue/SMI-4501
- https://linear.app/smith-horn-group/issue/SMI-4502
- https://linear.app/smith-horn-group/issue/SMI-4504

Closes Dependabot alerts #91, #95
Closes CodeQL alerts #79, #80
Targets dismissal of CodeQL alert #85

Co-Authored-By: claude-flow <ruv@ruv.net>
Co-Authored-By: Claude <noreply@anthropic.com>

Author: 3 people

package-lock.json

@@ -114,6 +114,8 @@
     "h3": "^1.15.9",
     "hono": "^4.12.14",
     "@hono/node-server": "^1.19.13",
+    "protobufjs": "^7.5.5",
+    "uuid": "^14.0.0",
     "vite": "^7.3.2",
     "fast-xml-parser": "^5.5.7",
     "@aws-sdk/xml-builder": ">=3.972.3",

package.json

@@ -32,11 +32,9 @@ const REQUEST_TIMEOUT_MS = 2000
 const TELEMETRY_ACTOR_KEY = 'skillsmith-telemetry-actor:v1'
 
 function hashForActor(apiKey: string): string {
-  // lgtm[js/insufficient-password-hash] This is deterministic correlation-ID
+  // codeql[js/insufficient-password-hash] Deterministic telemetry actor-ID
   // derivation via HMAC-SHA-256 — not password storage. See TELEMETRY_ACTOR_KEY
-  // doc-comment above for full rationale (false positive in CodeQL's taint
-  // tracking which flags any flow from an API-key-like source into a crypto
-  // function, regardless of construction).
+  // doc-comment above for full rationale.
   return createHmac('sha256', TELEMETRY_ACTOR_KEY).update(apiKey).digest('hex')
 }
 

packages/core/src/audit/remote-audit.ts

@@ -8,6 +8,7 @@
  * Provides in-memory stub implementations for webhook and API key management.
  */
 
+import { randomBytes } from 'node:crypto'
 import type {
   IntegrationService,
   Webhook,
@@ -21,16 +22,11 @@ import type {
 // ============================================================================
 
 function generateStubSecret(): string {
-  const chars = 'abcdef0123456789'
-  return Array.from({ length: 32 }, () => chars[Math.floor(Math.random() * chars.length)]).join('')
+  return randomBytes(16).toString('hex')
 }
 
 function generateStubKey(): string {
-  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-  return (
-    'sk_int_' +
-    Array.from({ length: 40 }, () => chars[Math.floor(Math.random() * chars.length)]).join('')
-  )
+  return 'sk_int_' + randomBytes(30).toString('base64url')
 }
 
 function computeExpiry(expiresIn?: string): string | null {