Fix security vulnerabilities and bugs from codebase review

[Copilot]

Comprehensive codebase review surfaced several security vulnerabilities, a shared-state mutation bug, and missing cleanup in React hooks.

Security

• API key leaked via URL query params — /api/credits changed from GET (key in ?key=) to POST (key in request body). Query params persist in browser history, server access logs, and proxy logs.
• Path traversal in loadEvalRun — Added UUID format validation on id and resolve() + startsWith() containment check on the resolved path.
• Path traversal in readExampleProblem — Added containment check ensuring resolved path stays within examples/ directory. Data is currently hardcoded but this is defense-in-depth.
• Unhandled JSON.parse in eval storage — Corrupted JSON files in loadEvalRuns/loadEvalRun crashed the process; now wrapped in try-catch with warning logs.

Bugs

• Shallow copy in vocabulary merge (02d-synthesize.ts) — mainVocabulary.set(key, entry) stored a reference to draft vocabulary entries, so mutations to one affected the other. Changed to { ...entry }, consistent with the spread pattern already used in createDraftStore.
• Ephemeral Map in getDraftStoresMap — When draft-stores was missing from requestContext, the function silently created a new Map that was never persisted back. Subsequent calls would get a fresh empty Map, losing all draft stores. Now throws explicitly since the hypothesize step is required to initialize it.

Code quality

• Missing AbortController in credits-badge.tsx and use-examples.ts — Added cleanup to cancel in-flight fetches on unmount/dependency change.
• Unsafe rcGetter type cast in 03a-rule-tester-tool.ts — Removed redundant wrapper that cast undefined through as Parameters<...>[0]; emitToolTraceEvent already accepts undefined.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[cervonwong]

@claude Do you agree with these changes.