#2544: fix(security): XSS vulnerability in Canvas Host + Windows CI stability

## Summary - Fix **critical XSS vulnerability** in Canvas Host debug page (replaces `innerHTML` with safe DOM manipulation) - Fix **Windows CI flaky tests** ("Worker exited unexpectedly" errors) ## Changes ### 1. XSS Fix (`src/canvas-host/server.ts`) **Before (vulnerable):** ```typescript statusEl.innerHTML = "Bridge: " + (hasHelper() ? "<span class='ok'>ready</span>" : "<span class='bad'>missing</span>") + " · iOS=" + (hasIOS() ? "yes" : "no") + " · Android=" + (hasAndroid() ? "yes" : "no"); ``` **After (safe):** ```typescript statusEl.textContent = ""; statusEl.appendChild(document.createTextNode("Bridge: ")); const bridgeSpan = document.createElement("span"); bridgeSpan.className = hasHelper() ? "ok" : "bad"; bridgeSpan.textContent = hasHelper() ? "ready" : "missing"; statusEl.appendChild(bridgeSpan); // ... ``` ### 2. Windows CI Fix (`vitest.config.ts`) Added `singleFork: true` for Windows CI to prevent worker process crashes: ```typescript poolOptions: { forks: { singleFork: useSingleFork, // true on Windows CI }, }, ``` ### 3. XSS Prevention Test (`src/canvas-host/server.test.ts`) Added test to verify safe DOM manipulation patterns are used. ## Security Reference - **CWE-79**: Improper Neutralization of Input During Web Page Generation - **OWASP A03:2021**: Injection 🤖 Generated with [Claude Code](https://claude.ai/code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR addresses a security issue and CI stability: - Updates the Canvas Host default debug page HTML to build the status line via `textContent`/DOM node creation instead of `innerHTML`, reducing XSS risk in the embedded script (`src/canvas-host/server.ts`). - Adjusts Vitest’s forks pool configuration to use a single fork on Windows CI to mitigate intermittent worker crashes (`vitest.config.ts`). - Adds a regression test that fetches the generated default `index.html` and asserts it contains safe DOM manipulation patterns (`src/canvas-host/server.test.ts`). These changes fit into the existing Canvas Host path serving logic (default index written when missing, live reload injection) and the project-wide Vitest configuration used by CI. <h3>Confidence Score: 4/5</h3> - This PR is generally safe to merge and meaningfully improves security and Windows CI stability. - Changes are localized (string-template HTML update, Vitest config tweak, and a new regression test). The security fix removes the known `innerHTML` sink in the default canvas page. Main concern is the added test’s brittleness: it asserts specific string fragments/variable names in the generated HTML, which can create noisy failures on refactors without improving security coverage. - src/canvas-host/server.test.ts (new test brittleness) <!-- greptile_other_comments_section --> _{(4/5) You can add custom instructions or style guidelines for the agent [here](https://app.greptile.com/review/github)!} <!-- /greptile_comment -->