Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

High Priority Fixes:
- Replace vulnerable regex patterns in IP validation with safe string operations
- Secure cookie parsing with Object.create(null) to prevent prototype pollution
- Enhanced file system operations with additional validation layers
- Add PostHog analytics payload size limits (32KB) and comprehensive PII sanitization
- Implement error message sanitization to prevent information leakage

Security Improvements:
- Safe IPv4/IPv6 validation without regex DoS vulnerability
- Cookie name/value validation with length limits and safe patterns
- Multi-layer path traversal protection for API endpoint resolution
- PII pattern detection and redaction for analytics
- Development vs production error handling with safe messaging
- ESLint security rule compliance with appropriate exemptions for validated cases

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

…ration limits

- Updated regex patterns for sanitizing metadata, navigation, images, stylesheets, scripts, fonts, and meta tags to prevent potential vulnerabilities.
- Implemented iteration limits to avoid catastrophic backtracking in regex operations.
- Added validation checks for extracted URLs and text to ensure safety and compliance with length restrictions.

This commit addresses security concerns and improves the robustness of HTML content extraction.

- Resolved CORS configuration conflict in api-dev-server.ts using secure whitelist approach
- Resolved git provider detection conflict in lib/deployment/netlify.ts using comprehensive URL parsing
- Fixed regex escape character issue in netlify.ts for security compliance

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

**HIGH RISK - CORS Misconfiguration Fixed:**
- Separate trusted origins from allowed origins in api-dev-server.ts
- Only enable credentials for explicitly trusted domains
- Prevent credential hijacking via dynamic origin setting

**MEDIUM RISK - URL Validation Bypass Fixed:**
- Replace vulnerable substring matching with secure hostname validation
- Use proper URL parsing to prevent domain spoofing attacks
- Affected files: netlify.ts and vercel.ts deployment services

**MEDIUM RISK - Information Exposure Prevention:**
- Enhanced error sanitization in both development and production modes
- Remove ALL sensitive paths, environment variables, credentials from error messages
- Stricter character limits and complete information sanitization

Security improvements protect against:
- Credential theft via CORS misconfiguration
- Domain spoofing attacks (evil.com/github.com bypasses)
- Internal system information disclosure through error messages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

- Fix Promise being passed to Convex in EnhancedChatInterface.tsx by properly consuming textStream
- Fix 404 error on tRPC billing endpoint by correcting URL path to /hono/trpc/
- Add robust array checks to prevent Se.map undefined errors
- Improve metadata handling with proper values instead of undefined
- Enhanced error handling and logging for tRPC requests

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Take the more secure origin validation from main branch that includes
additional isValidOrigin checks for both trusted and allowed origins.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

- Replace `existsSync` with `statSync` for safer file existence checks in API endpoints.
- Improve error handling for non-file responses and inaccessible directories.
- Update CORS handling in `create-checkout-session` to validate origins more robustly.
- Introduce helper functions for validating environment variables in `hono-polar` API.
- Refactor input sanitization and validation logic in various components for enhanced security.
- Clean up unused imports and optimize component structures across multiple files.

- Update analytics configuration to enable based on the presence of the PostHog API key.
- Improve IP hashing method for better privacy using SHA-256.
- Refine IP validation logic with comprehensive regex for IPv6 support.
- Enhance error responses in API endpoints to include decoded endpoint information.
- Implement structured logging for API requests and errors, ensuring sensitive data is scrubbed.
- Update README to reflect enhanced security features and request timeout settings.
- Add new environment variables for Sentry error monitoring and privacy consent management.
- Optimize dependency versions in package.json and bun.lock for improved stability.

- Simplified regex patterns for email and phone number validation.
- Improved handling of sensitive headers in the scrubHeaders function.
- Updated error sanitization methods to prevent sensitive data leaks.
- Enhanced URL validation patterns for GitHub links.
- Refined object sanitization to prevent prototype pollution and ensure safe handling of sensitive fields.

…for credentials transfer

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

- Resolved IP validation function conflicts by choosing the newer, more robust implementation
- Resolved cookie parsing conflicts by keeping enhanced prototype pollution protection
- Resolved file existence check conflicts by using the safer validation approach
- Resolved HTML sanitization conflicts by keeping the sanitize-html library approach
- All conflicts resolved while maintaining security best practices

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

…m our branch

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

…ranch

Merged security enhancements while preserving functionality:

- Enhanced error sanitization with comprehensive path and credential redaction
- Improved CORS handling with secure credential-only for trusted origins
- Upgraded IP hashing from base64 to SHA-256 for better anonymization
- Tightened error message length limits and expanded error pattern matching
- More comprehensive PII detection and sanitization patterns
- Regenerated bun.lock to resolve dependency conflicts

All security improvements from dev-branch have been prioritized while
maintaining existing functionality from qoder branch.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

- Introduced `ZapdevDeploymentSecrets` to handle sensitive deployment tokens securely.
- Updated `ZapdevDeploymentConfig` to exclude sensitive access tokens, ensuring they are retrieved at runtime.
- Enhanced deployment manager to utilize the new secrets structure for Netlify and Vercel services.
- Improved error handling and logging in various API endpoints for better security and maintainability.
- Updated README to reflect changes in deployment configuration and security practices.

…pdate service worker registration

- Removed commented-out critical CSS resources for clarity.
- Added module preload link for improved loading performance of main module.
- Updated service worker registration to use a more generic '/sw.js' path for better maintainability.

Resolved merge conflicts prioritizing security improvements and maintaining functionality:

- API-SERVER-README.md: Fixed malformed line in graceful shutdown feature
- api/deploy.ts: Used main branch approach with runtime secrets validation
- api/domains.ts: Kept deployment manager configuration comment from main
- api/success.ts: Maintained strict authentication requirements from qoder
- lib/deployment/types.ts: Used main branch configuration comment
- lib/deployment/vercel.ts: Kept enhanced extractRepoPath with security improvements
- src/components/PrivacyConsentBanner.tsx: Used function declaration style from main
- src/components/SubscriptionUpgradeModal.tsx: Removed SafeText dependency
- src/components/auth/EnhancedSignUp.tsx: Kept clean interface without unused onComplete prop
- src/components/auth/PrivacyAwareSignInButton.tsx: Used function declaration style
- src/main.tsx: Removed unused imports from qoder branch
- src/utils/security.ts: Kept simpler script tag regex pattern from qoder
- src/utils/text-sanitizer.ts: Preserved Zod validation enhancements from qoder

All conflicts resolved while maintaining security improvements and code quality.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

- Fix TypeScript errors in API files (type assertions, unused parameters)
- Update AI SDK usage from v2 to v3 (maxTokens → maxCompletionTokens)
- Fix tRPC context function signature for Hono adapter
- Resolve duplicate interface declarations in deployment types
- Add missing required properties to analytics events
- Fix Vite PWA plugin Cache-Control header configuration
- Remove invalid regex pattern in workbox cacheableResponse config

All TypeScript build errors resolved. Vercel deployment now succeeds.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>