Fix B108: replace hardcoded /tmp with tempfile.gettempdir()

Bandit flags hardcoded /tmp strings as CWE-377 (insecure temp file).
Use tempfile.gettempdir() for the avatar cache dir default so the
path resolves correctly on all platforms and passes the security scan.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app.py

@@ -10,6 +10,7 @@ import json
 import logging
 import os
 import re
+import tempfile
 import threading
 import time
 import uuid
@@ -458,7 +459,7 @@ def api_avatar():
 
     # Build a safe cache filename from the username (alphanumeric + - _ .)
     safe_name = re.sub(r'[^a-zA-Z0-9._-]', '_', username)
-    cache_dir = ldap_cfg.get('cache_dir', '/tmp/gandalf_avatars')
+    cache_dir = ldap_cfg.get('cache_dir', os.path.join(tempfile.gettempdir(), 'gandalf_avatars'))
     os.makedirs(cache_dir, exist_ok=True)
     cache_file = os.path.join(cache_dir, f'user_{safe_name}.jpg')
     sentinel    = os.path.join(cache_dir, f'user_{safe_name}.none')