fix: close remaining CodeQL code scanning alerts

[adubovikov]

Summary

After #30 merged, 5 alerts remained on code scanning:

• go/path-injection in uistore/store.go (MkdirAll, Rename) and layout.go (JobArtifactDir)
• go/weak-sensitive-data-hashing in auth.go (SIP Digest MD5/SHA-256 sinks)

This PR routes the remaining file operations through safepath.EnsureDirUnder / RenameUnder / EnsureJobArtifactsDir and moves // codeql[...] comments to the hash sink lines.

Test plan

• go test ./internal/uistore/... ./internal/safepath/... ./internal/engine/...
• Confirm CodeQL re-scan closes alerts Feature/sipstress style summary #13, feat: add gossipper backfill subcommand #14, #41 and digest warnings feat: automatically sync version.go with release tags via GitHub Actions #4, #40

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Alexandr Dubovikov seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}