feat(plugins): Implement severity system and add new security patterns

[Dann1y]

Summary

This PR transitions our security tool from a binary "block-all" approach to a nuanced 2-tier Severity System, improving developer workflow while expanding security coverage.

Solution

1. Severity System: "Block" vs "Warn"

• block: Stops execution for high-risk, definite security errors (e.g., SQL Injection, Eval).
• warn: Provides guidance for patterns that are risky but sometimes intentional (e.g., innerHTML, child_process).

2. 5 New Security Patterns

• Critical: sql_injection, hardcoded_secrets (API keys, etc.)
• Advisory: path_traversal, insecure_deserialization, unsafe_deprecated_apis

Quick File Reference

• security_reminder_hook.py: Core logic for severity branching & new patterns.
• README.md & plugin.json: Documentation and version bump (v1.1.0).
• test_security_reminder_hook.py: Comprehensive test suite (70 cases).

🛡️Existing Security Patterns

This table outlines the existing patterns, their severity levels, and the reasoning behind each.

Pattern	Severity	Rationale
github_actions_workflow	block	High-risk real-world vulnerability
eval_injection	block	Almost always a critical security mistake
child_process_exec	warn	Sometimes intentional for system tasks
new_function_injection	warn	Rare but legitimate use cases exist
react_dangerously_set_html	warn	Necessary in specific UI contexts
document_write_xss	warn	Legacy API; often used in educational contexts
innerHTML_xss	warn	Frequently used intentionally despite risks
pickle_deserialization	warn	Common in specific Python data workflows
os_system_injection	warn	Similar risks/usage to child_process

✨ New Security Patterns

This table details the newly added patterns and the logic used to detect them.

Pattern	Severity	Detection Logic
sql_injection	block	SQL keywords combined with string concat or f-strings
hardcoded_secrets	block	API keys, passwords, or PEM keys assigned to string literals
path_traversal	warn	File operations using input from request objects
insecure_deserialization	warn	Unsafe methods like yaml.load or node-serialize
unsafe_deprecated_apis	warn	MD5/SHA1 hashing and deprecated new Buffer() usage

Test

• Automated Unit Tests: Added 70 new test cases in tests/test_security_reminder_hook.py covering all 14 patterns, correct exit code branching, and state management.
• False Positive Mitigation: Verified that safe code patterns—such as environment variable access (process.env.API_KEY), parameterized SQL queries, and yaml.safe_load()—do not trigger any alerts.
• Manual Verification: Confirmed that vulnerable snippets correctly trigger the intended block or warn behavior in a live terminal environment.