security: fix high-severity security issues

- Remove hardcoded passwords in wallet commands (2 instances)
- Fix SQL injection vectors with parameterized queries (3 instances)
- Replace MD5 hashes with SHA-256 in 14 locations
- Add table name validation in migration scripts

apps/coordinator-api/scripts/migrate_complete.py

@@ -42,6 +42,12 @@ def migrate_all_data():
         print(f"\nMigrating {table_name}...")
         
         # Get table schema
+        # Validate table name to prevent SQL injection
+        allowed_tables = ['user', 'wallet', 'transaction', 'agent', 'job', 'receipt', 'marketplace_listing']
+        if table_name not in allowed_tables:
+            print(f"  Skipping table {table_name} (not in allowed list)")
+            continue
+        
         sqlite_cursor.execute(f"PRAGMA table_info({table_name})")
         columns = sqlite_cursor.fetchall()
         column_names = [col[1] for col in columns]

apps/coordinator-api/scripts/migrate_to_postgresql.py

@@ -252,6 +252,12 @@ def migrate_data():
     ]
     
     for table_name, insert_sql in migrations:
+        # Validate table name to prevent SQL injection
+        allowed_tables = ['user', 'wallet', 'transaction', 'agent', 'job', 'receipt', 'marketplace_listing']
+        if table_name not in allowed_tables:
+            print(f"Skipping table {table_name} (not in allowed list)")
+            continue
+        
         print(f"Migrating {table_name}...")
         sqlite_cursor.execute(f"SELECT * FROM {table_name}")
         rows = sqlite_cursor.fetchall()