fix(security): sanitize logs, redact secrets, harden XML parsing

Address actionable CodeQL security-extended findings and extend the same redaction to the debug JSONL logger

uv.lock

@@ -456,6 +456,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/94/35/386550fd60316d1e37eccdda609b074113298f23cef5bddb2049823fe666/dacite-1.9.2-py3-none-any.whl", hash = "sha256:053f7c3f5128ca2e9aceb66892b1a3c8936d02c686e707bee96e19deef4bc4a0", size = 16600, upload-time = "2025-02-05T09:27:24.345Z" },
 ]
 
+[[package]]
+name = "defusedxml"
+version = "0.7.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/0f/d5/c66da9b79e5bdb124974bfe172b4daf3c984ebd9c2a06e2b8a4dc7331c72/defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69", size = 75520, upload-time = "2021-03-08T10:59:26.269Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4/defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61", size = 25604, upload-time = "2021-03-08T10:59:24.45Z" },
+]
+
 [[package]]
 name = "distlib"
 version = "0.4.0"
@@ -1766,6 +1775,7 @@ dependencies = [
     { name = "construct" },
     { name = "crccheck" },
     { name = "cryptography" },
+    { name = "defusedxml" },
     { name = "filelock" },
     { name = "fonttools" },
     { name = "jsonpickle" },
@@ -1831,6 +1841,7 @@ requires-dist = [
     { name = "construct", specifier = ">=2.8.8,<3" },
     { name = "crccheck", specifier = ">=1.3.0,<2" },
     { name = "cryptography", specifier = ">=45.0.0,<47" },
+    { name = "defusedxml", specifier = ">=0.7.1" },
     { name = "filelock", specifier = ">=3.20.3,<4" },
     { name = "fonttools", specifier = ">=4.60.2,<5" },
     { name = "jsonpickle", specifier = ">=3.0.4,<5" },