fix(security): resolve Snyk Code findings — Tar Slip, Path Traversal, Open Redirect, XSS

Tar Slip (CWE-22) — 3 import services:
  threat_actor, lolbas, caldera: add path validation before extractall()
  to prevent malicious zip members with ../ escaping the target directory.
  (sigma, elastic, atomic already had this protection)

Path Traversal (CWE-23) — professional_reports.py:
  Add _assert_safe_report_path() check on all 5 report endpoints to
  verify the generated filepath stays within REPORT_OUTPUT_DIR.

Open Redirect (CWE-601) — sso.py:
  Validate IdP redirect URL scheme (must be http/https) before
  issuing RedirectResponse, blocking javascript: and data: redirects.

DOM XSS (CWE-79) — 4 frontend pages:
  Create src/utils/url.ts with safeUrl() that rejects non-http/https
  protocols; apply to actor.mitre_url, ref.url, intel.url.
  Sanitize framework name to alphanumeric-only before DOM insertion.
  Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp).

Hardcoded credentials (CWE-798):
  verify_gaps.py, create_wiki.py: replace literal passwords with
  environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).

scripts/create_wiki.py

@@ -2,6 +2,7 @@
 """Create all Aegis wiki pages via Gitea API."""
 
 import base64
+import os
 import sys
 import time
 
@@ -14,11 +15,11 @@ from requests.auth import HTTPBasicAuth
 #   POST   /api/v1/repos/{owner}/{repo}/wiki/new              → create
 #   PATCH  /api/v1/repos/{owner}/{repo}/wiki/page/{pageName}  → update
 #   GET    /api/v1/repos/{owner}/{repo}/wiki/pages             → list
-GITEA_URL = "http://192.168.1.107:3000"
-OWNER = "kitos"
-REPO = "Aegis"
-USERNAME = "kitos"
-PASSWORD = "T'2JY%HLX\"Bp^6e"
+GITEA_URL = os.environ.get("GITEA_URL", "http://192.168.1.107:3000")
+OWNER = os.environ.get("GITEA_OWNER", "kitos")
+REPO = os.environ.get("GITEA_REPO", "Aegis")
+USERNAME = os.environ.get("GITEA_USERNAME", "kitos")
+PASSWORD = os.environ.get("GITEA_PASSWORD", "")
 
 
 def create_or_update_page(title: str, content: str) -> bool: