v0.12.1 — correctness fixes from code review

A self-review of the engine surfaced edge cases the single-package benchmark did not exercise but real multi-package projects would. All fixed:

• Inner/anonymous classes — flow locations used Foo$1.java (which does not exist), so suppression, near-miss and autofix silently skipped findings inside nested classes. The $… suffix is now stripped.
• Autofix could rewrite the wrong file when two classes share a simple name across packages (now skipped), and could pick a same-named variable from another method (the lookup is now scoped to the sink's own method).
• misconfig false positive — a sensitive getter used for a non-logging purpose (e.g. encoder.matches(input, user.getPassword())) no longer taints a later unrelated log call.
• Near-miss false positive — an escaped variable no longer triggers a wrong-context finding on a same-named variable in another method.
• Secrets — @Value defaults that are themselves references/SpEL (${…}, #{…}) are no longer flagged as literal secrets.
• validate-config closes its URLClassLoader (releases jar handles on Windows).
• CI now asserts the benchmark detects exactly 33 findings, so a detection regression or new false positive fails the build.

Benchmark unchanged: 33/33 (taint) + 34 with near-miss, 0 false positives.