fix: replace bare eval with sandboxed evaluator in DebuggerConsole

[rishab11250]

Closes #59

Problem

The DebuggerConsole's evaluate() method in ui/app.js uses a bare eval() call with no sandboxing, scope restriction, or input validation, giving any expression typed into the console unrestricted read/write access to the entire application's global scope.

This allows:

• Mutating state.unlockedScripts to bypass the password lock system
• Calling fetch() to exfiltrate data or trigger unintended API calls to the Flask backend
• Pasting untrusted code (from Stack Overflow, etc.) that runs with full app privileges
• Accessing DOM APIs, cookies, localStorage, and all runtime variables with no guardrails

Solution

Three layers of defense applied:

Layer	Change	File:Line
User awareness	One-time warn entry on first console open stating it has full app access	ui/app.js:3273-3276
Scope restriction	Replaced eval(expr) with new Function('state', '"use strict"; return (expr)') — expression only receives state as a parameter and strict mode prevents implicit globals	ui/app.js:3414-3415
Dangerous API blocking	Pre-checks expression against BLOCKED_PATTERNS (fetch(, XMLHttpRequest, document.cookie, localStorage, sessionStorage, indexedDB, Worker(, new Function(, new WebSocket(, import(, require() and returns a warning instead of executing	ui/app.js:3408-3411

Verification

• state.unlockedScripts['path'] = 'pw' mutations via console are now blocked by the sandboxed Function() scope applying strict mode
• Dangerous API calls (fetch(, XMLHttpRequest, etc.) are blocked with an explicit warning entry in the console log
• Warning banner appears once per session on first console open

[rishab11250]

Hey @siddu-k, please review my pr and if there are any problems, tell me .