fix(chat): simplify DANGEROUS_QUERY_PATTERN to only block *:* queries

[marevol]

Summary

• Reduced the overly broad DANGEROUS_QUERY_PATTERN that was blocking legitimate search queries
• The previous pattern rejected queries containing keywords like _source, _all, painless, or groovy in natural-language context (e.g., "painless scripting tutorial")
• Now only rejects the *:* wildcard-all pattern, which is the actual security concern for unrestricted document dumps

Changes Made

• ChatClient.java: Simplified DANGEROUS_QUERY_PATTERN from a multi-clause regex to just \*:\*
• ChatClientTest.java: Added comprehensive unit tests for:
  • escapeLuceneValue — null, empty, backslash, double-quote, mixed, URL inputs
  • searchWithQuery — null, blank, length limits, valid queries, dangerous pattern rejection, previously false-positive patterns now allowed
  • escapeHtml — null, empty, all special HTML characters, XSS script tag
• Extended TestableChatClient inner class with searchDocuments override and helper methods for state tracking

Testing

• New unit tests cover all edge cases for the affected methods
• Verified that *:* is still rejected while legitimate queries containing script-related keywords pass through
• Tests use wasSearchDocumentsCalled() to assert whether the actual search was invoked

Breaking Changes

• None — this change is less restrictive (expands what queries are accepted), not more

Additional Notes

• The original pattern was introduced in a security hardening PR but proved too aggressive for RAG chat use cases where users may ask natural-language questions about topics like "painless scripting" or "source configuration"
• Only *:* poses a real risk as it dumps all documents regardless of query intent

🤖 Generated with Claude Code