#20653: Security: replace SHA1 with SHA256 for hash generation

## Summary - Replace SHA1 with SHA256 in `gateway-lock.ts` (lock file name derivation) and `tool-call-id.ts` (tool call ID generation) - SHA1 is cryptographically broken; SHA256 is the modern standard - Update corresponding test to match ## Test plan - [ ] Run `vitest src/infra/gateway-lock.test.ts` to verify lock tests pass - [ ] Run `vitest src/agents/tool-call-id` to verify tool call ID tests pass - [ ] Verify existing gateway lock files are cleaned up on upgrade (lock files are transient) 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR successfully migrates from SHA1 to SHA256 for hash generation in two non-cryptographic contexts: gateway lock file naming (`gateway-lock.ts`) and tool call ID generation (`tool-call-id.ts`). The changes are minimal and focused - only the hash algorithm parameter is updated from `"sha1"` to `"sha256"`. - Gateway lock files use an 8-character hash suffix to distinguish locks for different config paths. The hash change will cause old lock files to be orphaned, but since lock files are transient (process-lifetime only), this is harmless. - Tool call IDs use hashing for collision avoidance and ID generation. These are generated fresh each session and not persisted, so the algorithm change has no backward compatibility impact. - The test file was correctly updated to match the implementation change. - Other SHA1 usages in the codebase (`extensions/voice-call/src/webhook-security.ts` for Twilio HMAC, `scripts/debug-claude-usage.ts` for Chrome keychain) are external API requirements and correctly remain unchanged. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no risk - The changes are minimal, well-scoped, and correctly implemented. Both use cases (lock file naming and tool call ID generation) are non-cryptographic hashing contexts where the specific hash values don't matter - only uniqueness and determinism. The test file was properly updated, and the migration path is clean since both lock files and tool call IDs are transient. No breaking changes or compatibility issues. - No files require special attention _{Last reviewed commit: 7327e96} <!-- greptile_other_comments_section --> _{(5/5) You can turn off certain types of comments like style [here](https://app.greptile.com/review/github)!} <!-- /greptile_comment -->