fix(gui): mitigate CVE-2026-48710 (BadHost)

[melifaro]

Summary

• Replace request.url.path with request.scope["path"] in require_gui_user() to prevent Host header forgery from manipulating the login redirect returnTo parameter (CVE-2026-48710)
• Bump starlette dependency from >=1.0.0 to >=1.0.1 (lockfile: 1.0.0 → 1.1.0)
• Update tests to use request.scope["path"] instead of request.url.path

Why

Starlette < 1.0.1 constructs request.url by concatenating the HTTP Host header with the request path without sanitization. An attacker can forge request.url.path via crafted Host headers. In require_gui_user(), this was used to build the returnTo login redirect — an open redirect vector.

request.scope["path"] uses the ASGI scope path set by the server from the actual request target, which is not derived from the Host header.

Downstream impact

All NiceGUI apps built on aignostics-foundry-core (bridge, hermes, etc.) inherit this fix automatically when they bump their dependency. No code changes needed in consuming projects.

Test plan

• mise run lint passes
• TestRequireGuiUser — all 3 tests pass (redirect, authenticated, return_to override)
• CI pipeline passes

🤖 Generated with Claude Code

[aig-hannes]

Looks good to me!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines	Coverage Δ
src/aignostics_foundry_core/gui/auth.py	93.18% <100.00%> (ø)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud