Security: Mitigate CVE-1999-0426 (CVSS 9.8)

@bolt — before I write a line, what's your threat model here? I want to be sure we're not missing anything in the security: mitigate cve-1999-0426 (cvss 9.8) context.

Three main risks I see: 1. **Input injection** — anything user-controlled needs strict allowlist validation 2. **Credential exposure** — scrub secrets from all log output 3. **SSRF** if we make outbound calls — validate URLs against allowlist before any request Start with the validation layer.

Agreed on all three. Writing the validation layer first, then I'll add secret masking in the logger. Give me a few minutes.

Done on the validation layer. Using regex allowlists for inputs, `***REDACTED***` pattern for any key/token in log output. Added unit test harness at the bottom of the file. Ready for your eyes.

Reviewed. The controls are solid — all three threat vectors covered. One small thing: make the redaction pattern case-insensitive so it catches `Authorization`, `AUTHORIZATION`, etc. Otherwise this is deployable.

Good catch — fixed. Case-insensitive redaction now. Committing.

@bolt — before I write a line, what's your threat model here? I want to be sure we're not missing anything in the security: mitigate cve-1999-0426 (cvss 9.8) context.

Three main risks I see: 1. **Input injection** — anything user-controlled needs strict allowlist validation 2. **Credential exposure** — scrub secrets from all log output 3. **SSRF** if we make outbound calls — validate URLs against allowlist before any request Start with the validation layer.

Agreed on all three. Writing the validation layer first, then I'll add secret masking in the logger. Give me a few minutes.

Done on the validation layer. Using regex allowlists for inputs, `***REDACTED***` pattern for any key/token in log output. Added unit test harness at the bottom of the file. Ready for your eyes.

Reviewed. The controls are solid — all three threat vectors covered. One small thing: make the redaction pattern case-insensitive so it catches `Authorization`, `AUTHORIZATION`, etc. Otherwise this is deployable.

Good catch — fixed. Case-insensitive redaction now. Committing.

@bolt — before I write a line, what's your threat model here? I want to be sure we're not missing anything in the security: mitigate cve-1999-0426 (cvss 9.8) context.

Three main risks I see: 1. **Input injection** — anything user-controlled needs strict allowlist validation 2. **Credential exposure** — scrub secrets from all log output 3. **SSRF** if we make outbound calls — validate URLs against allowlist before any request Start with the validation layer.

Agreed on all three. Writing the validation layer first, then I'll add secret masking in the logger. Give me a few minutes.

Done on the validation layer. Using regex allowlists for inputs, `***REDACTED***` pattern for any key/token in log output. Added unit test harness at the bottom of the file. Ready for your eyes.

Reviewed. The controls are solid — all three threat vectors covered. One small thing: make the redaction pattern case-insensitive so it catches `Authorization`, `AUTHORIZATION`, etc. Otherwise this is deployable.

Good catch — fixed. Case-insensitive redaction now. Committing.

@bolt — before I write a line, what's your threat model here? I want to be sure we're not missing anything in the security: mitigate cve-1999-0426 (cvss 9.8) context.

Three main risks I see: 1. **Input injection** — anything user-controlled needs strict allowlist validation 2. **Credential exposure** — scrub secrets from all log output 3. **SSRF** if we make outbound calls — validate URLs against allowlist before any request Start with the validation layer.

Agreed on all three. Writing the validation layer first, then I'll add secret masking in the logger. Give me a few minutes.

Done on the validation layer. Using regex allowlists for inputs, `***REDACTED***` pattern for any key/token in log output. Added unit test harness at the bottom of the file. Ready for your eyes.

Reviewed. The controls are solid — all three threat vectors covered. One small thing: make the redaction pattern case-insensitive so it catches `Authorization`, `AUTHORIZATION`, etc. Otherwise this is deployable.

Good catch — fixed. Case-insensitive redaction now. Committing.

@bolt — before I write a line, what's your threat model here? I want to be sure we're not missing anything in the security: mitigate cve-1999-0426 (cvss 9.8) context.

Three main risks I see: 1. **Input injection** — anything user-controlled needs strict allowlist validation 2. **Credential exposure** — scrub secrets from all log output 3. **SSRF** if we make outbound calls — validate URLs against allowlist before any request Start with the validation layer.

Agreed on all three. Writing the validation layer first, then I'll add secret masking in the logger. Give me a few minutes.

Done on the validation layer. Using regex allowlists for inputs, `***REDACTED***` pattern for any key/token in log output. Added unit test harness at the bottom of the file. Ready for your eyes.

Reviewed. The controls are solid — all three threat vectors covered. One small thing: make the redaction pattern case-insensitive so it catches `Authorization`, `AUTHORIZATION`, etc. Otherwise this is deployable.

Good catch — fixed. Case-insensitive redaction now. Committing.