GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/migrations/019_add_embedding_usage.sql

@@ -0,0 +1,17 @@
+-- Migration 019: Add embedding usage tracking table
+-- Supports #241 (Embedding Model Pricing)
+
+CREATE TABLE IF NOT EXISTS public.embedding_usage_logs (
+    id SERIAL PRIMARY KEY,
+    tenant_id VARCHAR(100) NOT NULL,
+    user_id VARCHAR(100) NOT NULL,
+    tokens_used INTEGER NOT NULL,
+    embedding_count INTEGER NOT NULL,
+    model VARCHAR(100) DEFAULT 'BAAI/bge-m3',
+    cost_cents DECIMAL(10,4) NOT NULL,
+    request_id VARCHAR(100),
+    timestamp TIMESTAMP DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_embedding_usage_tenant_timestamp
+ON public.embedding_usage_logs(tenant_id, timestamp);