fix(security): escape quotes in HTML attrs + mark node-id hash non-security

CodeQL alerts:
- #80–83 (Medium, js/incomplete-sanitization): _esc/esc in trace.js +
  trace_detail.js escaped <>& but NOT quotes, so a value containing " broke
  out of data-file="…" / data-path="…" / data-sid="…" attributes (XSS).
  Both helpers now escape " → &quot; and ' → &#39; — safe in text AND
  quoted-attribute contexts. Also escape the (constant) data-lazy value.
- #79 (High, py/weak-sensitive-data-hashing): _short_hash in
  workflow_graph_schema.py mints DETERMINISTIC NODE IDs (non-security). Add
  usedforsecurity=False to document intent + let CodeQL skip it. SHA-1 kept
  (not upgraded) so existing node IDs stay stable across graphs/snapshots.

py compile + ruff clean; trace.js/trace_detail.js parse.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: cdeust

mcp_server/core/workflow_graph_schema.py

@@ -116,8 +116,16 @@ class WorkflowEdge(BaseModel):
 
 
 def _short_hash(value: str, width: int = 10) -> str:
-    """Stable, non-cryptographic short hash for ID stability across runs."""
-    return hashlib.sha1(value.encode("utf-8")).hexdigest()[:width]
+    """Stable, non-cryptographic short hash for ID stability across runs.
+
+    ``usedforsecurity=False`` (Python 3.9+) documents intent — this hash mints
+    deterministic node IDs, it never protects sensitive data — and lets CodeQL's
+    weak-hashing query correctly skip it. SHA-1 is retained (not upgraded to
+    SHA-256) so existing node IDs stay stable across graphs and snapshots.
+    """
+    return hashlib.sha1(value.encode("utf-8"), usedforsecurity=False).hexdigest()[
+        :width
+    ]
 
 
 class NodeIdFactory:

ui/unified/js/trace.js

@@ -346,8 +346,13 @@
   }
 
   function _esc(s) {
+    // Escapes the full HTML special set INCLUDING quotes, so the result is
+    // safe in both element text AND quoted-attribute contexts (e.g.
+    // data-file="..."). Without the quote escapes a value containing `"`
+    // breaks out of the attribute → injection (CodeQL js/incomplete-sanitization).
     return String(s == null ? '' : s)
-      .replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+      .replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;').replace(/'/g, '&#39;');
   }
 
   // ── Trace detail panel: kind-dispatched rich info ────────────────────

ui/unified/js/trace_detail.js

@@ -23,8 +23,12 @@
   };
 
   function esc(s) {
+    // Full HTML escape incl. quotes → safe in both text and quoted-attribute
+    // contexts (data-path="...", data-sid="..."). Quote escapes prevent
+    // attribute breakout (CodeQL js/incomplete-sanitization).
     return String(s == null ? '' : s)
-      .replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+      .replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;').replace(/'/g, '&#39;');
   }
   function shortStr(t, n) {
     n = n || 60;
@@ -54,7 +58,7 @@
   function section(title, id, bodyHtml, opts) {
     opts = opts || {};
     return '<details class="td-sec"' + (opts.open ? ' open' : '')
-      + (opts.lazy ? ' data-lazy="' + opts.lazy + '"' : '')
+      + (opts.lazy ? ' data-lazy="' + esc(opts.lazy) + '"' : '')
       + (opts.path ? ' data-path="' + esc(opts.path) + '"' : '')
       + (opts.sid ? ' data-sid="' + esc(opts.sid) + '"' : '') + '>'
       + '<summary>' + esc(title) + '</summary>'