fix: use crypto.randomUUID for transaction IDs, use single-quote for Excel formula injection protection

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

packages/core/src/actions/TransactionManager.ts

@@ -503,14 +503,14 @@ export class TransactionManager {
 // Helpers
 // ==========================================================================
 
-let idCounter = 0;
-
 /**
- * Generate a simple unique ID
+ * Generate a unique transaction ID using crypto when available
  */
 function generateId(): string {
-  idCounter++;
-  return `txn_${Date.now()}_${idCounter}`;
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return `txn_${crypto.randomUUID()}`;
+  }
+  return `txn_${Date.now()}_${Math.random().toString(36).slice(2, 10)}`;
 }
 
 /**

packages/plugin-report/src/LiveReportExporter.ts

@@ -326,13 +326,14 @@ function getExcelColumnLetter(index: number): string {
 
 /**
  * Sanitize cell values to prevent formula injection in Excel.
- * Prefixes values starting with formula characters (=, +, -, @, |) with a tab.
+ * Prefixes values starting with formula characters (=, +, -, @, |) with a
+ * single-quote, which is the standard Excel protection against formula injection.
  */
 function sanitizeExcelValue(val: string): string {
   if (val.length > 0) {
     const firstChar = val.charAt(0);
     if (firstChar === '=' || firstChar === '+' || firstChar === '-' || firstChar === '@' || firstChar === '|') {
-      return `\t${val}`;
+      return `'${val}`;
     }
   }
   return val;