Freshbits โ security sweep
Fixes
- #20803 9edec67a1 fix(security): block plaintext WebSocket connections to non-loopback addresses- #20857 baf4a799a fix(security): use YAML core schema to prevent type coercion
- #20856 f1e1ad73a fix(security): SHA-256 hash before timingSafeEqual to prevent length leak
- #20854 ee6d0bd32 fix(security): escape backticks in exec-approval command previews
- #20655 fb35635c1 Security: use execFileSync instead of execSync with shell strings
- #20654 57102cbec Security: use crypto.randomBytes for temp file names
- #10526 e955582c8 security: add baseline security headers to gateway HTTP responses
- #20853 e0aaf2d39 fix(security): block prototype-polluting keys in deepMerge
- #16941 3feb7fc3a fix(matrix): detect mentions in formatted_body matrix.to links
- #17094 466a1e1cd fix(clawdock): include docker-compose.extra.yml in helper
