GitHub Security Overhaul: Dependency Hardening, Snyk CI Scanning, and Input Sanitization Library Deployed

A comprehensive security audit and hardening initiative has been implemented, targeting critical dependency vulnerabilities and establishing robust CI/CD security checks. The update resolves two picomatch vulnerabilities—one high-severity ReDoS and one moderate method injection—by upgrading vitest to version 4.1.2. More significantly, a new automated `security-scan` job has been integrated into the CI pipeline, executing pnpm audit, Snyk vulnerability scanning, and anti-pattern checks on every push and pull request. This institutionalizes proactive threat detection.

The core technical response includes the creation of a dedicated input sanitization library, `scripts/lib/sanitize.js`. This library provides functions for sanitizing URLs, paths, HTML, shell arguments, and JSON, directly mitigating risks of Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), command injection, and prototype pollution. For defense-in-depth, ready-to-use Content Security Policy (CSP) header configurations have been packaged for Next.js, Vite/Express, and Helmet.js frameworks in `templates/shared/security-headers.config.js`.

This push represents a shift from reactive patching to a security-by-design posture. The initiative is codified with extensive documentation covering dependency management, input validation, CSP, authentication, API security, and secure CI/CD practices. The test plan mandates a clean `pnpm audit` report and successful execution of a custom security check script, though the full CI scan's activation is contingent on configuring the required `SNYK_TOKEN` secret. The move signals a mature, systematic approach to securing the software supply chain and application layer.