fix(security): sanitize orderId route parameter before logging to prevent log-forging

[JerrettDavis]

The id parameter bound from the URL path in the UpdateOrderStatus endpoint is
user-controlled. Sanitize it via SanitizeForLog before passing to LogInformation
(CodeQL cs/log-forging alert #295 on main).

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Test Results

118 tests  ±0   118 ✅ ±0   5s ⏱️ -1s
  2 suites ±0     0 💤 ±0 
  2 files   ±0     0 ❌ ±0 

Results for commit 93b1051. ± Comparison against base commit 9c5bcfe.

[github-actions]

🔍 PR Validation Results

Version: 0.0.0-g298ce09a4a

📦 Detected NuGet Packages (17)

• Demo.JsonApi
• Demo.SoapApi
• QuickApiMapper.Application
• QuickApiMapper.Behaviors
• QuickApiMapper.Contracts
• QuickApiMapper.CustomTransformers
• QuickApiMapper.Extensions.RabbitMQ
• QuickApiMapper.Extensions.ServiceBus
• QuickApiMapper.Extensions.gRPC
• QuickApiMapper.Management.Contracts
• QuickApiMapper.MessageCapture.Abstractions
• QuickApiMapper.MessageCapture.InMemory
• QuickApiMapper.Persistence.Abstractions
• QuickApiMapper.Persistence.PostgreSQL
• QuickApiMapper.Persistence.SQLite
• QuickApiMapper.StandardTransformers
• QuickApiMapper.Tools.Migrator

🚀 Detected Executables (2)

• QuickApiMapper.Host.AppHost
• QuickApiMapper.Tools.Migrator

✅ Validation Steps

• Build solution
• Run unit tests
• Run integration tests
• Dry-run NuGet packaging
• Dry-run executable publishing

📊 Artifacts

Dry-run artifacts have been uploaded and will be available for 7 days.

---

This comment was automatically generated by the PR validation workflow.