Security hardening and robustness fixes for Docker scripts and session injection

[Copilot]

Your checklist for this pull request

• Make sure you are requesting to pull a feature/bugfix branch (right side).
• Make sure you are making a pull request against the dev branch (left side). Also you should start your branch off our dev branch.
• Check your code additions locally using npm run watch
• Make sure strings/resources are added using our resource files
• Make sure CHANGELOG.md is updated if applicable
• Make sure Smoke tests are updated if applicable

Review checklist

• Tested locally

Review theme song

🎵 Tool - Forty Six & 2 🎵

Description

Addresses security vulnerabilities and robustness issues in the session injection endpoint and Docker environment scripts.

Session Injection Endpoint Security

• Changed GET to POST to prevent accidental triggering by prefetchers/crawlers
• Added SESSION_INJECTION_SECRET with crypto.timingSafeEqual() for timing-attack resistance
• Enforced NODE_ENV=development guard
• Session regeneration before injection prevents fixation attacks
• Allowlist pattern (passport field only) replaces unsafe Object.assign
• Open redirect protection validates internal relative paths only

Docker Script Robustness

• Normalized COMPOSE_PROJECT_NAME for Docker Compose compatibility (lowercase, alphanumeric+hyphens)
• Replaced .env file sourcing (code execution risk) with safe key-value parsing
• Handles base64 values containing = characters correctly
• Quote-wrapped YAML environment values prevent truncation from # or =
• Added docker compose version validation check
• DRY principle: single source of truth for environment variable allowlist

Documentation

• Replaced hardcoded port 9142 with dynamic ${APP_URL} references
• Updated examples to POST with X-Injection-Secret header

Before:

curl http://localhost:9142/auth/inject-session

After:

curl -X POST "${APP_URL}/auth/inject-session" \
  -H "X-Injection-Secret: ${SESSION_INJECTION_SECRET}"

How to test

1. Check out locally with gh: gh pr checkout 1342
2. Run ./scripts/agent-setup.sh in a worktree with special characters (e.g., Test.Branch-123)
3. Verify Docker Compose project name is normalized and containers start successfully
4. Set TEST_SESSION_COOKIE and SESSION_INJECTION_SECRET environment variables
5. Test session injection endpoint with correct and incorrect secrets
6. Verify redirect URL validation prevents open redirects

Related PRs

Addresses all review comments from PR #1342

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.