fix(security): address CodeQL static analysis gaps

[hittyt]

Summary

• Address existing medium/high CodeQL findings in Python and Go by removing a sensitive-name logging false positive, documenting/suppressing sandbox-local user SQL execution false positives, and documenting the Docker port probe as a publish-scope false positive.
• Keep CodeQL language coverage on the repository default setup, which is already configured for java-kotlin along with the other supported languages.

Testing

• Not run (explain why)
• Unit tests
• Integration tests
• e2e / manual verification

Unit/manual verification run locally:

• uv run ruff check opensandbox_server/startup_guard.py opensandbox_server/services/docker_port_allocator.py tests/test_main_api_key_guard.py tests/test_docker_port_allocator.py
• uv run pytest tests/test_main_api_key_guard.py tests/test_docker_port_allocator.py
• go test ./pkg/runtime
• ./gradlew --no-daemon publishToMavenLocal in sdks/sandbox/kotlin
• ./gradlew --no-daemon publishToMavenLocal in sdks/code-interpreter/kotlin
• ./gradlew --no-daemon testClasses in tests/java
• git diff --check

Breaking Changes

• None
• Yes (describe impact and migration path)

Checklist

• Linked Issue or clearly described motivation
• Added/updated docs (if needed)
• Added/updated tests (if needed)
• Security impact considered
• Backward compatibility considered

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0229151e31

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".