audit(spark-A): security hardening — loopback bind gate + sqlite resource limits + path masking

- HIGH: gate /accounts/import-local on isLocalBindHost too (not just remoteAddress)
- HIGH: tmp file lifecycle (random subdir + global cleanup), sqlite size/row caps, short-lived cache
- HIGH: sources.path returns basename only (no absolute path leak)
- 5 new security tests in test/local-windsurf-security.test.js