fix(SEC-REVIEW-4-7): Address remaining MEDIUM security review findings

- Graceful container shutdown: detect "not running" containers and skip
  force-remove escalation, only SIGKILL for genuine stop failures
- data: URI stripping: add security audit logging via NestJS Logger
  when data: URIs are blocked in markdown links and images
- Orchestrator bootstrap: replace void bootstrap() with .catch() handler
  for clear startup failure logging and clean process.exit(1)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/orchestrator/src/spawner/docker-sandbox.service.ts

@@ -361,8 +361,17 @@ export class DockerSandboxService {
       this.logger.log(`Container gracefully stopped and removed: ${containerId}`);
       return;
     } catch (gracefulError) {
+      const errMsg = gracefulError instanceof Error ? gracefulError.message : String(gracefulError);
+
+      // If container is already stopped, just remove without force
+      if (errMsg.includes("is not running") || errMsg.includes("304")) {
+        this.logger.log(`Container ${containerId} already stopped, removing without force`);
+        await container.remove({ force: false });
+        return;
+      }
+
       this.logger.warn(
-        `Graceful stop failed for container ${containerId}, falling back to force remove: ${gracefulError instanceof Error ? gracefulError.message : String(gracefulError)}`
+        `Graceful stop failed for container ${containerId}, falling back to force remove: ${errMsg}`
       );
     }