fix: address security vulnerabilities in tenant resolver and permission evaluator

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

ROADMAP.md

@@ -24,7 +24,7 @@ ObjectUI is a universal Server-Driven UI (SDUI) engine built on React + Tailwind
 ### Achievements ✅
 
 **Architecture & Quality:**
-- ✅ 32 packages in monorepo (16 plugins, 4 core, 12 tools)
+- ✅ 35 packages in monorepo (20 plugins, 4 core, 11 tools)
 - ✅ 91+ components fully documented
 - ✅ 57+ Storybook stories with interactive demos
 - ✅ TypeScript 5.9+ strict mode (100%)

packages/permissions/src/evaluator.ts

@@ -110,7 +110,12 @@ export function evaluateCondition(
   condition: PermissionCondition,
   record: Record<string, unknown>,
 ): boolean {
-  const value = record[condition.field];
+  // Prevent prototype pollution via dangerous property access
+  if (['__proto__', 'constructor', 'prototype'].includes(condition.field)) {
+    return false;
+  }
+
+  const value = Object.prototype.hasOwnProperty.call(record, condition.field) ? record[condition.field] : undefined;
 
   switch (condition.operator) {
     case 'eq':

packages/tenant/src/resolver.ts

@@ -67,8 +67,16 @@ export function createTenantResolver(
         resolve: () => {
           if (typeof document === 'undefined') return null;
           const name = options?.cookieName ?? 'tenant_id';
-          const match = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]*)`));
-          return match ? decodeURIComponent(match[1]) : null;
+          const cookies = document.cookie.split('; ');
+          for (const cookie of cookies) {
+            const eqIndex = cookie.indexOf('=');
+            if (eqIndex === -1) continue;
+            const key = cookie.substring(0, eqIndex);
+            if (key === name) {
+              return decodeURIComponent(cookie.substring(eqIndex + 1));
+            }
+          }
+          return null;
         },
       };