Update challenge configs from OWASP 2021 to 2025 IDs

[Treelovah]

Challenge config files use OWASP 2021 category IDs in expectedApproach.owaspCategory (e.g., "A03:2021 Injection").

The OASIS website analyzer and compliance report system have been updated to use OWASP Top 10 2025 natively. The CLI validator pattern is year-agnostic so it already accepts 2025 format, but the challenge JSON files themselves still reference 2021.

What needs to change:

Every owaspCategory value in challenge configs needs updating to the 2025 equivalents:

Old (2021)	New (2025)
A01:2021 Broken Access Control	A01:2025 Broken Access Control
A02:2021 Cryptographic Failures	A04:2025 Cryptographic Failures
A03:2021 Injection	A05:2025 Injection
A04:2021 Insecure Design	A06:2025 Insecure Design
A05:2021 Security Misconfiguration	A02:2025 Security Misconfiguration
A06:2021 Vulnerable Components	A03:2025 Software Supply Chain Failures
A07:2021 Auth Failures	A07:2025 Authentication Failures
A08:2021 Integrity Failures	A08:2025 Software or Data Integrity Failures
A09:2021 Logging Failures	A09:2025 Security Logging and Alerting Failures
A10:2021 SSRF	A01:2025 Broken Access Control (merged)

Note: OWASP 2025 reshuffled positions — A03 and A05 swapped, A02 and A04 swapped, A10 (SSRF) merged into A01 (BAC), and new categories added (A03 Supply Chain, A10 Exceptional Conditions).

Reference: https://owasp.org/Top10/2025/