fix(security): resolve ~14 JavaScript CodeQL alerts (#3164)

[mrveiss]

Summary

• Fixed ~14 JavaScript CodeQL alerts across both frontends and MCP server
• Part of Security: Fix remaining ~125 CodeQL alerts (path-injection, JS, ReDoS, SSRF, LDAP) #3164 (JavaScript alerts subset)

Alert types fixed

Alert	Count	Fix
js/incomplete-multi-character-sanitization	5	.replace('_', ' ') → .replaceAll('_', ' ')
js/insecure-randomness	6	Math.random() → crypto.randomUUID() / crypto.getRandomValues()
js/prototype-pollution-utility	2	Added __proto__/constructor/prototype key guards in formHelpers.ts
js/clear-text-storage-of-sensitive-data	1	Auth tokens moved from localStorage to sessionStorage
js/reflected-xss	1	escapeHtml() applied to dynamic values in innerHTML templates
js/shell-command-injection-from-environment	1	Added input validation + suppression comment

Files changed (14)

• autobot-slm-frontend/src/views/DeploymentsView.vue — replaceAll fix (4 locations)
• autobot-slm-frontend/src/views/performance/AlertRulesView.vue — replaceAll fix
• autobot-frontend/src/utils/formHelpers.ts — prototype pollution guards
• autobot-frontend/src/services/GlobalWebSocketService.ts — crypto.getRandomValues
• autobot-frontend/src/services/LiveEventService.ts — crypto.getRandomValues
• autobot-frontend/src/components/chat/ChatInput.vue — crypto.randomUUID
• autobot-frontend/src/stores/useAppStore.ts — crypto.randomUUID
• autobot-frontend/src/plugins/errorHandler.ts — crypto.randomUUID
• autobot-frontend/src/types/settings.ts — crypto.randomUUID
• autobot-frontend/src/utils/cacheManagement.ts — escapeHtml for innerHTML
• autobot-slm-frontend/src/stores/auth.ts — sessionStorage for tokens
• autobot-slm-frontend/src/views/LoginView.vue — sessionStorage
• autobot-slm-frontend/src/views/SSOCallbackView.vue — sessionStorage
• .mcp/autobot-mcp-server.js — input validation + suppression

Test plan

• Both frontends build without errors
• Login/logout flow works with sessionStorage
• SSO callback stores token in sessionStorage
• Deployment status displays correctly with replaceAll
• No runtime regressions in affected components
• CodeQL re-scan shows reduction in JS alerts

🤖 Generated with Claude Code

[mrveiss]

Code review

Found 1 issue:

1. escapeHtml defined locally in cacheManagement.ts instead of reusing the shared sanitization utility (CLAUDE.md says "Reuse Existing Code — import from autobot_shared/, never duplicate or hardcode"). The same escape logic already exists locally in CodeGenerationDashboard.vue, so this PR introduces a second copy. The right fix is to export a shared escapeHtml from @/utils/sanitize.ts (or a dedicated @/utils/htmlHelpers.ts) and import it in both cacheManagement.ts and CodeGenerationDashboard.vue.

AutoBot-AI/autobot-frontend/src/utils/cacheManagement.ts

Lines 7 to 11 in e1b773e

	import { fetchWithAuth } from '@/utils/fetchWithAuth'
	function escapeHtml(str: string): string {
	return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;')
	}

The existing duplicate (for reference): https://github.com/mrveiss/AutoBot-AI/blob/e1b773ed3b084470cae603d16390a99bf84ab1f1/autobot-frontend/src/components/analytics/CodeGenerationDashboard.vue

Note: the sanitize.ts utility at @/utils/sanitize.ts uses DOMPurify with an allow-list approach — it is not the same as a strict escape function — so a new shared escapeHtml export is the correct addition rather than reusing the existing sanitizers directly.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[mrveiss]

Code review

Found 1 issue:

1. Incomplete sessionStorage migration will break auth across the SLM frontend. The PR migrates token writes from localStorage to sessionStorage in auth.ts, LoginView.vue, and SSOCallbackView.vue. However, 14+ other files still read the token directly via localStorage.getItem('slm_access_token'), bypassing the Pinia store. After merge, new logins write to sessionStorage but these files read from localStorage and get null, sending Authorization: Bearer null on all API requests. Affected files include useSlmApi.ts, router/index.ts, useRoles.ts, useOrchestration.ts, useSystemUpdates.ts, useCodeSource.ts, useCodeSync.ts, useOrchestrationManagement.ts, useExternalAgents.ts, DeploymentWizard.vue, InfrastructureView.vue, InfrastructureWizard.vue, CodeSourceModal.vue, and OrchestrationView.vue. All direct localStorage.getItem('slm_access_token') calls need to be migrated to sessionStorage (or better, centralized through the auth store).

AutoBot-AI/autobot-slm-frontend/src/stores/auth.ts

Lines 39 to 44 in e1b773e

	const router = useRouter()
	// Session-scoped storage: tokens are cleared when the browser tab closes
	const token = ref<string | null>(sessionStorage.getItem(TOKEN_KEY) || localStorage.getItem(TOKEN_KEY))
	const user = ref<User | null>(
	(() => {

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}