fix: corrigir bugs críticos de segurança e memory leaks (v1.2.4)

- fix(pagination): SQL injection em cursor pagination - validação de nomes de campos
- fix(transaction): substituir Math.random() por crypto.randomBytes() para jitter
- fix(monitoring): memory leak - adicionar .unref() ao setInterval
- docs: adicionar relatório completo de bugs (BUG-REPORT-2026-01-31.md)
- chore: actualizar versão para 1.2.4

CLAUDE.md

@@ -74,8 +74,15 @@ src/
 │   ├── export-import.ts  # 2 tools - Markdown export/import
 │   └── desk-sync.ts      # 2 tools - Desk CRM integration
 └── utils/
-    ├── logger.ts
-    └── security.ts
+    ├── index.ts          # Export all utilities
+    ├── logger.ts         # Logging utility
+    ├── security.ts       # Security utilities (validation, rate limiting)
+    ├── transaction.ts    # Transaction helpers with retry logic
+    ├── query-builder.ts  # Safe parameterized query builder
+    ├── validation.ts     # Zod-based input validation
+    ├── audit.ts          # Audit logging for write operations
+    ├── monitoring.ts     # Connection pool health monitoring
+    └── pagination.ts     # Cursor-based pagination helpers
 ```
 
 ## Tools Summary (164 total)
@@ -170,3 +177,76 @@ Key tables: `documents`, `collections`, `users`, `groups`, `comments`, `revision
 Soft deletes: Most entities use `deletedAt` column, not hard deletes.
 
 See `SPEC-MCP-OUTLINE.md` for complete database schema.
+
+## Security Utilities
+
+The `src/utils/security.ts` module provides essential security functions:
+
+### Validation Functions
+
+| Function | Description |
+|----------|-------------|
+| `isValidUUID(uuid)` | Validate UUID format |
+| `isValidUrlId(urlId)` | Validate URL-safe ID format |
+| `isValidEmail(email)` | Validate email format |
+| `isValidHttpUrl(url)` | Validate URL is HTTP(S) - rejects javascript:, data:, file: protocols |
+| `isValidISODate(date)` | Validate ISO date format (YYYY-MM-DD or full ISO) |
+| `validateDaysInterval(days, default, max)` | Validate and clamp days interval for SQL |
+| `validatePeriod(period, allowed, default)` | Validate period against allowed values |
+| `validatePagination(limit, offset)` | Validate and normalize pagination params |
+| `validateSortDirection(direction)` | Validate sort direction (ASC/DESC) |
+| `validateSortField(field, allowed, default)` | Validate sort field against whitelist |
+
+### Sanitization Functions
+
+| Function | Description |
+|----------|-------------|
+| `sanitizeInput(input)` | Remove null bytes and trim whitespace |
+| `escapeHtml(text)` | Escape HTML entities for safe display |
+
+### Rate Limiting
+
+| Function | Description |
+|----------|-------------|
+| `checkRateLimit(type, clientId)` | Check if request should be rate limited |
+| `startRateLimitCleanup()` | Start background cleanup of expired entries |
+| `stopRateLimitCleanup()` | Stop cleanup interval (call on shutdown) |
+| `clearRateLimitStore()` | Clear all rate limit entries (testing) |
+
+### Usage Example
+
+```typescript
+import {
+  isValidUUID,
+  isValidHttpUrl,
+  validateDaysInterval,
+  startRateLimitCleanup,
+  stopRateLimitCleanup
+} from './utils/security.js';
+
+// Validation before SQL
+if (!isValidUUID(args.user_id)) {
+  throw new Error('Invalid user_id format');
+}
+
+// URL validation (prevents XSS)
+if (!isValidHttpUrl(args.webhook_url)) {
+  throw new Error('Invalid URL. Only HTTP(S) allowed.');
+}
+
+// Safe interval for SQL
+const safeDays = validateDaysInterval(args.days, 30, 365);
+// Use in query: `INTERVAL '${safeDays} days'` is safe (it's a number)
+
+// Lifecycle management
+startRateLimitCleanup();  // On server start
+stopRateLimitCleanup();   // On graceful shutdown
+```
+
+## Cryptographic Security
+
+Secrets and tokens use `crypto.randomBytes()` instead of `Math.random()`:
+
+- **OAuth secrets:** `oauth.ts` - `sk_` prefixed base64url tokens
+- **API keys:** `api-keys.ts` - `ol_` prefixed keys, only hash stored in DB
+- **Share URLs:** `shares.ts` - Cryptographically secure URL IDs