fix: resolve 4 dismissed CodeQL alerts — URL sanitization + crypto bias
- bingAdapter.ts: fix .hostname.includes('bing.com') → endsWith('.bing.com')
to prevent evilbing.com bypass (#367, incomplete-url-substring-sanitization)
- Task.ts, LocalMainSessionTask.ts, words.ts: replace modulo bias
(bytes[i] % length) with rejection sampling using crypto.randomBytes,
eliminating biased-cryptographic-random alerts (#5, #6, #7)
Validation: bun run check:fix ✓, bunx tsc --noEmit (0 new errors) ✓,
bun run build ✓