Use PBKDF2-HMAC with device-specific salt for anonymization

[Copilot]

The current anonymization uses truncated SHA1, which is vulnerable to dictionary/brute-force attacks on low-entropy inputs like IP addresses and hostnames.

Changes:

• Replace SHA1 with PBKDF2-HMAC-SHA256 (100k iterations)
• Add device-specific salt from /etc/machine-id with UUID fallback
• Rename parameter input → value to avoid shadowing builtin

Implementation:

# Before: easily reversed via precomputation
h = hashlib.sha1(input.encode()).hexdigest()
return f"anon-{h[:16]}"

# After: computationally expensive, device-specific
salt = _get_device_salt()  # from /etc/machine-id or generated UUID
h = hashlib.pbkdf2_hmac('sha256', value.encode(), salt, PBKDF2_ITERATIONS, dklen=16)
return f"anon-{h.hex()}"

The device-specific salt prevents external precomputation attacks while maintaining deterministic output per device (required for analytics).

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[gsanchietti]

Too complex