feat(llm-security): sandboxed remote cloning v5.1.0

Harden git clone attack surface for remote scans with defense-in-depth:

Layer 1 (all platforms): 8 git config flags disable hooks, symlinks,
filter/smudge drivers, fsmonitor, local file protocol. 4 env vars
isolate from system/user git config and block interactive prompts.

Layer 2 (OS sandbox): macOS sandbox-exec and Linux bubblewrap (bwrap)
restrict file writes to only the specific temp directory. bwrap
probe-tests availability before use. Graceful fallback on Windows
and Ubuntu 24.04+ (git config hardening only).

Additional: post-clone 100MB size check, UUID-unique evidence filenames,
evidence file cleanup, cleanup guarantee in scan/plugin-audit commands.

32 new tests (1147 total).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/llm-security/scanners/lib/fs-utils.mjs

@@ -9,6 +9,7 @@
 import { cpSync, rmSync, renameSync, existsSync } from 'node:fs';
 import { join, basename } from 'node:path';
 import { tmpdir } from 'node:os';
+import { randomUUID } from 'node:crypto';
 
 const [,, command, ...args] = process.argv;
 
@@ -50,8 +51,12 @@ switch (command) {
   }
 
   case 'tmppath': {
-    const filename = args[0] || 'llm-security-temp.json';
-    process.stdout.write(join(tmpdir(), filename) + '\n');
+    const base = args[0] || 'llm-security-temp.json';
+    const dotIdx = base.lastIndexOf('.');
+    const name = dotIdx > 0 ? base.slice(0, dotIdx) : base;
+    const ext = dotIdx > 0 ? base.slice(dotIdx) : '.json';
+    const unique = `${name}-${randomUUID().slice(0, 8)}${ext}`;
+    process.stdout.write(join(tmpdir(), unique) + '\n');
     break;
   }