Fix critical security issues: upgrade jQuery, add DOCTYPE/charset, fix global var leak, harden deploy

[staging-devin-ai-integration]

Summary

Security audit of the codebase identified several issues across multiple severity levels. This PR fixes the critical and medium findings:

1. Upgrade jQuery 2.2.0 → 3.7.1 — jQuery 2.2.0 has 5 known CVEs including XSS (CVE-2020-11022, CVE-2020-23064) and Prototype Pollution (CVE-2019-11358). The app uses .html() in 6 places, making the XSS vulnerabilities exploitable in principle.

2. Add <!DOCTYPE html> and <meta charset="UTF-8"> to all 4 HTML files (index.html, superset.html, hiddenset.html, powerset.html). Missing DOCTYPE triggers quirks mode; missing charset opens encoding-based attack vectors.

3. Fix implicit global variable z in variants.js — for (z of ...) in isStandardSet() and isSuperSet() leaked z to global scope, enabling potential variable pollution. Changed to for (var z of ...).

4. Harden deploy.sh and dev.sh — Added --exclude flags for .git, .env*, *.pem, *.key to prevent accidental deployment of sensitive files.

Not applicable (no server-side code):

SQL injection, CORS, debug endpoints, hardcoded secrets, missing authentication — all N/A for this static frontend app.

Review & Testing Checklist for Human

• Open each game variant (index.html, superset.html, hiddenset.html, powerset.html) in a browser and verify the game still loads and plays correctly — jQuery 3.7.1 has some breaking changes from 2.x
• Verify card rendering (SVG shapes, colors, striping) still displays properly in both light and dark mode
• Test the settings modal, restart, "No Set", and "Check Set" buttons
• Confirm keyboard shortcuts still work (Q/A/Z for cards, Shift+R restart, Shift+L light/dark, Enter/Space check set)

Notes

• jQuery 3.x removes some deprecated APIs from 2.x. The codebase uses basic jQuery (selectors, .html(), .fadeIn/Out(), .addClass/removeClass(), .on(), .css()) which are all stable across versions. No migration issues expected.
• Low-severity findings (no SRI, set shadowing Set constructor, no clickjacking protection, localStorage schema validation) were not addressed in this PR to keep changes focused on critical/medium fixes.

Link to Devin session: https://staging.itsdev.in/sessions/eefcdce337d04c87832273eeedb1966d
Requested by: @s-wu

[staging-devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring