fix(security): replace all Math.random with crypto.randomBytes in fixtures

Fix remaining CodeQL High severity findings for insecure randomness:
- test-data.ts: generateIPAddress, generatePort, generateCrowdSecDecisionData
- access-lists.ts: mockAccessListResponse
- notifications.ts: generateProviderName
- settings.ts: generateTestEmail

All test fixture files now use crypto.randomBytes() for unique ID generation.

tests/fixtures/access-lists.ts

@@ -22,6 +22,7 @@
 
 import { generateUniqueId, generateIPAddress, generateCIDR } from './test-data';
 import type { AccessListData } from '../utils/TestDataManager';
+import * as crypto from 'crypto';
 
 /**
  * ACL type - matches backend ValidAccessListTypes
@@ -377,7 +378,7 @@ export function mockAccessListResponse(
 ): AccessListAPIResponse {
   const id = generateUniqueId();
   return {
-    id: parseInt(id) || Math.floor(Math.random() * 10000),
+    id: parseInt(id) || crypto.randomBytes(2).readUInt16BE(0) % 10000,
     uuid: `acl-${id}`,
     name: config.name || `ACL-${id}`,
     type: config.type || 'whitelist',

tests/fixtures/notifications.ts

@@ -5,6 +5,8 @@
  * These fixtures provide consistent test data across notification-related test files.
  */
 
+import * as crypto from 'crypto';
+
 // ============================================================================
 // Notification Provider Types
 // ============================================================================
@@ -52,7 +54,7 @@ export interface NotificationProvider extends NotificationProviderConfig {
  * Generate a unique provider name
  */
 export function generateProviderName(prefix: string = 'test-provider'): string {
-  return `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+  return `${prefix}-${Date.now()}-${crypto.randomBytes(3).toString('hex')}`;
 }
 
 /**

tests/fixtures/settings.ts

@@ -5,6 +5,8 @@
  * These fixtures provide consistent test data across settings-related test files.
  */
 
+import * as crypto from 'crypto';
+
 // ============================================================================
 // SMTP Configuration Types and Fixtures
 // ============================================================================
@@ -77,7 +79,7 @@ export const invalidSMTPConfigs = {
  * Generate a unique test email address
  */
 export function generateTestEmail(): string {
-  return `test-${Date.now()}-${Math.random().toString(36).slice(2, 8)}@test.local`;
+  return `test-${Date.now()}-${crypto.randomBytes(4).toString('hex')}@test.local`;
 }
 
 // ============================================================================

tests/fixtures/test-data.ts

@@ -74,9 +74,9 @@ export function generateIPAddress(options: {
   /** Fourth octet (1-254), random if not specified */
   octet4?: number;
 } = {}): string {
-  const o2 = options.octet2 ?? Math.floor(Math.random() * 256);
-  const o3 = options.octet3 ?? Math.floor(Math.random() * 256);
-  const o4 = options.octet4 ?? Math.floor(Math.random() * 253) + 1; // 1-254
+  const o2 = options.octet2 ?? secureRandomInt(256);
+  const o3 = options.octet3 ?? secureRandomInt(256);
+  const o4 = options.octet4 ?? secureRandomInt(253) + 1; // 1-254
   return `10.${o2}.${o3}.${o4}`;
 }
 
@@ -117,7 +117,7 @@ export function generatePort(options: {
   max?: number;
 } = {}): number {
   const { min = 8080, max = 65000 } = options;
-  return Math.floor(Math.random() * (max - min + 1)) + min;
+  return secureRandomInt(max - min + 1) + min;
 }
 
 /**
@@ -530,7 +530,7 @@ export function generateCrowdSecDecisionData(
   overrides: Partial<CrowdSecDecisionTestData> = {}
 ): CrowdSecDecisionTestData {
   return {
-    ip: `10.0.${Math.floor(Math.random() * 255)}.${Math.floor(Math.random() * 255)}`,
+    ip: `10.0.${secureRandomInt(255)}.${secureRandomInt(255)}`,
     duration: '4h',
     reason: 'Test ban - automated testing',
     scope: 'ip',