fix: use cryptographic nonce for extension webview CSP

Agent-Logs-Url: https://github.com/devNull-bootloader/openclaude/sessions/30a4694d-1125-4280-a593-74b5e3da601e

Co-authored-by: devNull-bootloader <189463177+devNull-bootloader@users.noreply.github.com>

vscode-extension/openclaude-vscode/src/extension.js

@@ -1,4 +1,5 @@
 const vscode = require('vscode');
+const crypto = require('crypto');
 
 function launchOpenClaude() {
   const configured = vscode.workspace.getConfiguration('openclaude');
@@ -39,7 +40,7 @@ class OpenClaudeControlCenterProvider {
   }
 
   getHtml(webview) {
-    const nonce = String(Date.now());
+    const nonce = crypto.randomBytes(16).toString('base64');
     return `<!DOCTYPE html>
 <html lang="en">
 <head>