fix(uxp): ship hygiene — gate udt-smoke.js, restrict postMessage, block exec shim

- Gate udt-smoke.js behind localStorage opencut_debug=1 so the mutating
  test harness doesn't load in every production session
- Restrict postMessage targetOrigin from "*" to window.location.origin
- Block cep_node child_process.exec passthrough in the WebView shim
  (was an open shell execution path)

Author: SysAdminDoc

extension/com.opencut.uxp/csinterface-shim.js

@@ -48,9 +48,10 @@
   function _postToHost(action, params, callback) {
     const id = ++_callId;
     if (callback) _pendingCallbacks[id] = callback;
+    var origin = window.location.origin || "*";
     window.parent.postMessage(
       { _ocShimRequest: true, _callId: id, action: action, params: params },
-      "*"
+      origin
     );
     // Timeout: clean up if no response in 30s
     setTimeout(function () {
@@ -159,10 +160,8 @@
       // Route to UXP host for supported operations.
       if (mod === "child_process") {
         return {
-          exec: function (cmd, cb) {
-            _postToHost("exec", { command: cmd }, function (result) {
-              if (cb) cb(null, result, "");
-            });
+          exec: function (_cmd, cb) {
+            if (cb) cb(new Error("child_process.exec is not available in the WebView shim"), "", "");
           },
         };
       }

extension/com.opencut.uxp/index.html

@@ -1650,6 +1650,10 @@ <h2 class="oc-workspace-guide-title" id="workspaceGuideTitle" data-i18n="uxp.gui
   </div><!-- #app -->
 
   <script type="module" src="main.js"></script>
-  <script type="module" src="udt-smoke.js"></script>
+  <script type="module">
+    if (localStorage.getItem("opencut_debug") === "1") {
+      import("./udt-smoke.js");
+    }
+  </script>
 </body>
 </html>