fix(security): IPv6 ULA blocking, cookie redaction, per-tab cancel, targeted token (#664)

Community PR #664 by @mr-k-man (security audit round 1, new parts only).

- IPv6 ULA prefix blocking (fc00::/7) in url-validation.ts with false-positive
  guard for hostnames like fd.example.com
- Cookie value redaction for tokens, API keys, JWTs in browse cookies command
- Per-tab cancel files in killAgent() replacing broken global kill-signal
- design/serve.ts: realpathSync upgrade prevents symlink bypass in /api/reload
- extension: targeted getToken handler replaces token-in-health-broadcast
- Supabase migration 003: column-level GRANT restricts anon UPDATE scope
- Telemetry sync: upsert error logging
- 10 new tests for IPv6, cookie redaction, DNS rebinding, path traversal

Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

browse/test/url-validation.test.ts

@@ -62,11 +62,53 @@ describe('validateNavigationUrl', () => {
     await expect(validateNavigationUrl('http://0251.0376.0251.0376/')).rejects.toThrow(/cloud metadata/i);
   });
 
-  it('blocks IPv6 metadata with brackets', async () => {
+  it('blocks IPv6 metadata with brackets (fd00::)', async () => {
     await expect(validateNavigationUrl('http://[fd00::]/')).rejects.toThrow(/cloud metadata/i);
   });
 
+  it('blocks IPv6 ULA fd00::1 (not just fd00::)', async () => {
+    await expect(validateNavigationUrl('http://[fd00::1]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks IPv6 ULA fd12:3456::1', async () => {
+    await expect(validateNavigationUrl('http://[fd12:3456::1]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks IPv6 ULA fc00:: (full fc00::/7 range)', async () => {
+    await expect(validateNavigationUrl('http://[fc00::]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('does not block hostnames starting with fd (e.g. fd.example.com)', async () => {
+    await expect(validateNavigationUrl('https://fd.example.com/')).resolves.toBeUndefined();
+  });
+
+  it('does not block hostnames starting with fc (e.g. fcustomer.com)', async () => {
+    await expect(validateNavigationUrl('https://fcustomer.com/')).resolves.toBeUndefined();
+  });
+
   it('throws on malformed URLs', async () => {
     await expect(validateNavigationUrl('not-a-url')).rejects.toThrow(/Invalid URL/i);
   });
 });
+
+describe('validateNavigationUrl — restoreState coverage', () => {
+  it('blocks file:// URLs that could appear in saved state', async () => {
+    await expect(validateNavigationUrl('file:///etc/passwd')).rejects.toThrow(/scheme.*not allowed/i);
+  });
+
+  it('blocks chrome:// URLs that could appear in saved state', async () => {
+    await expect(validateNavigationUrl('chrome://settings')).rejects.toThrow(/scheme.*not allowed/i);
+  });
+
+  it('blocks metadata IPs that could be injected into state files', async () => {
+    await expect(validateNavigationUrl('http://169.254.169.254/latest/meta-data/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('allows normal https URLs from saved state', async () => {
+    await expect(validateNavigationUrl('https://example.com/page')).resolves.toBeUndefined();
+  });
+
+  it('allows localhost URLs from saved state', async () => {
+    await expect(validateNavigationUrl('http://localhost:3000/app')).resolves.toBeUndefined();
+  });
+});