fix: validate glob patterns and exclude names, clarify regex escaping

- globMatch: use explicit \[ \] escaping in character class for clarity
- globMatch: wrap RegExp in try/catch, fall back to substring on malformed patterns
- pruneRegistry: sanitize excludeNames, filtering empty/non-string values

Impact: 2 functions changed, 4 affected

Author: github-actions[bot]

src/embedder.js

@@ -24,13 +24,18 @@ function globMatch(filePath, pattern) {
   // Normalize separators to forward slashes
   const normalized = filePath.replace(/\\/g, '/');
   // Escape regex specials except glob chars
-  let regex = pattern.replace(/\\/g, '/').replace(/[.+^${}()|[\]]/g, '\\$&');
+  let regex = pattern.replace(/\\/g, '/').replace(/[.+^${}()|\\[\]]/g, '\\$&');
   // Replace ** first (matches any path segment), then * and ?
   regex = regex.replace(/\*\*/g, '\0');
   regex = regex.replace(/\*/g, '[^/]*');
   regex = regex.replace(/\0/g, '.*');
   regex = regex.replace(/\?/g, '[^/]');
-  return new RegExp(`^${regex}$`).test(normalized);
+  try {
+    return new RegExp(`^${regex}$`).test(normalized);
+  } catch {
+    // Malformed pattern — fall back to substring match
+    return normalized.includes(pattern);
+  }
 }
 
 // Lazy-load transformers (heavy, optional module)

src/registry.js

@@ -144,7 +144,9 @@ export function pruneRegistry(
   const registry = loadRegistry(registryPath);
   const pruned = [];
   const cutoff = Date.now() - ttlDays * 24 * 60 * 60 * 1000;
-  const excludeSet = new Set(excludeNames);
+  const excludeSet = new Set(
+    excludeNames.filter((n) => typeof n === 'string' && n.trim().length > 0),
+  );
 
   for (const [name, entry] of Object.entries(registry.repos)) {
     if (excludeSet.has(name)) continue;