Improvement/action upgrade

… V1.2.3

…rtup task.

…dential storage, prompt injection)

- Fix reflected XSS in OAuth callback by HTML-escaping error parameter
- Add OAuth state parameter validation to prevent CSRF attacks
- Add SSRF protection to http_request action (block private IPs, cloud metadata)
- Add path traversal protection to read_file/write_file actions (block sensitive dirs)
- Set restrictive file permissions (0600) on stored credentials
- Make prompt sanitizer actually strip detected injection patterns instead of just logging

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Undo changes for write_file action

Undo changes on read_file

undo changes on prompt_sanitizer

state resolution

Reset max actions per task to normal rate.

Feature/task limit update

… V1.2.3

… V1.2.3

Tasks now track the platform they were started on (Task.source_platform),
and do_chat/do_chat_with_attachments resolve the outbound platform from
that field via session_id, falling back to the user's Preferred Messaging
Platform (read from USER.md, defaulting to "CraftBot Interface"). When a
running task receives a new message from a different platform, it switches
source_platform so subsequent replies follow the user. Also fixes the
USER.md template which was missing the Preferred Messaging Platform
placeholder, causing onboarding to silently drop the selected value.

V1.2.3