Upgrade to Ruby 4.0.1, bump version to 0.9.0

Replace CGI.parse (removed in Ruby 4.0) with Rack::Utils.parse_query
in application controller, sessions controller, and OIDC tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/controllers/application_controller.rb

@@ -28,12 +28,10 @@ class ApplicationController < ActionController::Base
     uri = URI.parse(url)
     return url unless uri.query
 
-    # Parse query string into hash
-    params = CGI.parse(uri.query)
+    params = Rack::Utils.parse_query(uri.query)
     params.delete(param_name)
 
-    # Rebuild query string (empty string if no params left)
-    uri.query = params.any? ? URI.encode_www_form(params) : nil
+    uri.query = params.any? ? Rack::Utils.build_query(params) : nil
     uri.to_s
   rescue URI::InvalidURIError
     url

app/controllers/sessions_controller.rb

@@ -20,8 +20,8 @@ class SessionsController < ApplicationController
       begin
         uri = URI.parse(session[:return_to_after_authenticating])
         if uri.query.present?
-          query_params = CGI.parse(uri.query)
-          @login_hint = query_params["login_hint"]&.first
+          query_params = Rack::Utils.parse_query(uri.query)
+          @login_hint = query_params["login_hint"]
         end
       rescue URI::InvalidURIError
         # Ignore parsing errors