fix(web): use secure session ids in usage benchmark

[kilo-code-bot]

Summary

• Replaces the benchmark usage script's Math.random() session ID suffix with randomUUID() so generated session IDs no longer rely on insecure randomness.
• Limits the change to CodeQL alert 248 in apps/web/src/scripts/usage/benchmark-insert-usage.ts.

Verification

N/A - script-only security change; no manual verification performed.

Visual Changes

N/A

Reviewer Notes

CodeQL alert: https://github.com/Kilo-Org/cloud/security/code-scanning/248

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Executive Summary

machine_id on line 190 uses the same insecure Math.random().toString(36) pattern that was fixed for session_id, leaving an identical CodeQL-flaggable construct in the same function.

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
apps/web/src/scripts/usage/benchmark-insert-usage.ts	190	machine_id still uses Math.random().toString(36).substring(2, 10) — same insecure randomness pattern as the session_id that was just fixed

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
apps/web/src/scripts/usage/benchmark-insert-usage.ts	190	machine_id: maybeNull(\machine-${Math.random().toString(36).substring(2, 10)}`, 40)— identical insecure pattern to the one fixed on line 195.randomUUID is already imported; the same fix (randomUUID().slice(0, 8)`) should be applied here for consistency and to eliminate the remaining CodeQL-equivalent risk.

Files Reviewed (1 file)

• apps/web/src/scripts/usage/benchmark-insert-usage.ts — 1 issue (line 190, not in diff)

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 431,674 tokens}

_{Review guidance: REVIEW.md from base branch main}