#8078: fix(config): add prototype pollution protection to deepMerge

## Summary Adds prototype pollution protection to the `deepMerge` function in the config include system by blocking dangerous keys (`__proto__`, `constructor`, `prototype`). ## The Problem The `deepMerge()` function in the configuration include system performs recursive object merging for the `$include` directive. While other configuration modules (`config-paths.ts`, `runtime-overrides.ts`) explicitly filter dangerous property names, the `deepMerge` function did not apply this defense. When processing malicious config files loaded via the `$include` directive, an attacker could inject objects with `__proto__` keys that pollute the JavaScript prototype chain for all objects in the Node.js process. This could lead to: - Security control bypass (e.g., overwriting `Object.prototype.isAdmin`) - Denial of Service (corrupting built-in methods) - Remote Code Execution in some contexts ## Changes - `src/config/includes.ts`: Added `BLOCKED_KEYS` set and filtering in `deepMerge` loop - `src/config/includes.test.ts`: Added tests for prototype pollution protection ## Test Plan - [x] `pnpm build && pnpm check && pnpm test` passes - [x] New tests verify `__proto__`, `constructor`, and `prototype` keys are blocked - [x] Tests verify nested prototype pollution is also blocked - [x] Existing deepMerge functionality still works for legitimate keys ## Related - [CWE-1321: Improperly Controlled Modification of Object Prototype Attributes](https://cwe.mitre.org/data/definitions/1321.html) - Internal audit ref: VULN-164 --- *Built with [bitsec-ai](https://github.com/bitsec-ai). AI-assisted: Yes. Testing: fully tested (test written before fix). Code reviewed and understood.* <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR hardens the config `$include` merge path by adding prototype-pollution key filtering to `deepMerge` (blocking `__proto__`, `constructor`, and `prototype`) and introduces a focused Vitest suite to ensure these keys are ignored both at the top level and when nested. This aligns `deepMerge` with similar defenses already present in other config modules and reduces risk when merging untrusted included config files. <h3>Confidence Score: 4/5</h3> - This PR is largely safe to merge and improves security, with a couple of minor behavior/test-isolation considerations. - The change is small and well-targeted (filtering a known set of dangerous keys) and includes direct tests for the intended hardening. Remaining concerns are about silent dropping potentially being surprising for legitimate configs, and the new tests’ reliance on global prototype state which can be made more robust. - src/config/includes.ts, src/config/includes.test.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->