Fix remaining 8 code scanning security vulnerabilities

Fixed all 8 remaining security issues identified by GitHub code scanning:

1. Clear-text logging (CWE-312) - Already fixed in previous commit
2. CORS misconfiguration (CWE-942) - Fixed credential transfer with dynamic origins
3. Incomplete sanitization in AutoCommitManager - Properly escape all regex special chars
4. Incomplete sanitization in GitHubSecretManager - Use global replace for wildcards
5. Incomplete sanitization in EnvironmentPropagator - Escape backslashes properly
6. Bad HTML filtering in InputValidator - Handle script tags with spaces

Security improvements:
- SharedContextServer: Only allow credentials for whitelisted origins
- AutoCommitManager: Complete regex escaping including backslashes
- GitHubSecretManager: Use /\*/g for global wildcard replacement
- EnvironmentPropagator: Escape backslashes before quotes in values
- InputValidator: Improved XSS detection with flexible tag matching

Author: VibeCodingWithPhil

src/context/SharedContextServer.ts

@@ -174,14 +174,16 @@ export class SharedContextServer extends EventEmitter {
 
       if (allowedOrigins.includes(origin)) {
         res.setHeader('Access-Control-Allow-Origin', origin);
+        res.setHeader('Access-Control-Allow-Credentials', 'true');
       } else if (origin.startsWith('http://localhost:') || origin.startsWith('http://127.0.0.1:')) {
         // Allow any localhost port for development flexibility
         res.setHeader('Access-Control-Allow-Origin', origin);
+        // Don't allow credentials for dynamic origins
+        res.setHeader('Access-Control-Allow-Credentials', 'false');
       }
 
       res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
       res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
-      res.setHeader('Access-Control-Allow-Credentials', 'true');
 
       if (method === 'OPTIONS') {
         res.writeHead(200);

src/database/EnvironmentPropagator.ts

@@ -724,8 +724,10 @@ export class EnvironmentPropagator {
    */
   private quoteValue(value: string): string {
     // Quote if contains spaces or special characters
-    if (value.includes(' ') || value.includes('\n') || value.includes('\t') || value.includes('"')) {
-      return `"${value.replace(/"/g, '\\"')}"`;
+    if (value.includes(' ') || value.includes('\n') || value.includes('\t') || value.includes('"') || value.includes('\\')) {
+      // Escape backslashes first, then quotes
+      const escaped = value.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+      return `"${escaped}"`;
     }
     return value;
   }

src/github/GitHubSecretManager.ts

@@ -393,7 +393,7 @@ export class GitHubSecretManager {
     if (options.include && options.include.length > 0) {
       filtered = filtered.filter(entry => 
         options.include!.some(pattern => 
-          entry.key.match(new RegExp(pattern.replace('*', '.*')))
+          entry.key.match(new RegExp(pattern.replace(/\*/g, '.*')))
         )
       );
     }
@@ -402,7 +402,7 @@ export class GitHubSecretManager {
     if (options.exclude && options.exclude.length > 0) {
       filtered = filtered.filter(entry => 
         !options.exclude!.some(pattern => 
-          entry.key.match(new RegExp(pattern.replace('*', '.*')))
+          entry.key.match(new RegExp(pattern.replace(/\*/g, '.*')))
         )
       );
     }
@@ -419,7 +419,7 @@ export class GitHubSecretManager {
 
     filtered = filtered.filter(entry => 
       !commonNonSecrets.some(pattern => 
-        entry.key.match(new RegExp(pattern.replace('*', '.*')))
+        entry.key.match(new RegExp(pattern.replace(/\*/g, '.*')))
       )
     );
 

src/protection/AutoCommitManager.ts

@@ -204,11 +204,22 @@ export class AutoCommitManager {
   }
 
   private matchesPattern(filePath: string, pattern: string): boolean {
-    // Convert glob pattern to regex
+    // Convert glob pattern to regex - escape special characters properly
     const regexPattern = pattern
+      .replace(/\\/g, '\\\\')  // Escape backslashes first
       .replace(/\./g, '\\.')
       .replace(/\*/g, '.*')
-      .replace(/\?/g, '.');
+      .replace(/\?/g, '.')
+      .replace(/\[/g, '\\[')
+      .replace(/\]/g, '\\]')
+      .replace(/\(/g, '\\(')
+      .replace(/\)/g, '\\)')
+      .replace(/\^/g, '\\^')
+      .replace(/\$/g, '\\$')
+      .replace(/\+/g, '\\+')
+      .replace(/\{/g, '\\{')
+      .replace(/\}/g, '\\}')
+      .replace(/\|/g, '\\|');
 
     const regex = new RegExp(`^${regexPattern}$`);
     return regex.test(filePath) || regex.test(path.basename(filePath));

src/validation/InputValidator.ts

@@ -32,11 +32,14 @@ export class InputValidator {
 
   // XSS patterns
   private static readonly XSS_PATTERNS = [
-    /<script[^>]*>.*?<\/script>/gi,
-    /<iframe[^>]*>.*?<\/iframe>/gi,
+    /<script[^>]*>.*?<\/\s*script\s*>/gi,  // Matches </script> with optional spaces
+    /<iframe[^>]*>.*?<\/\s*iframe\s*>/gi,  // Matches </iframe> with optional spaces
     /javascript:/gi,
     /on\w+\s*=/gi,
     /<img[^>]*onerror[^>]*>/gi,
+    /<style[^>]*>.*?<\/\s*style\s*>/gi,  // Also check style tags
+    /<object[^>]*>.*?<\/\s*object\s*>/gi,  // Check object tags
+    /<embed[^>]*>/gi,  // Check embed tags
   ];
 
   /**