fix: address code scanning alerts (#240)

src/utils/claudemd.ts

@@ -307,10 +307,6 @@ function stripHtmlCommentsFromTokens(tokens: ReturnType<Lexer['lex']>): {
   let result = ''
   let stripped = false
 
-  // A well-formed HTML comment span. Non-greedy so multiple comments on the
-  // same line are matched independently; [\s\S] to span newlines.
-  const commentSpan = /<!--[\s\S]*?-->/g
-
   for (const token of tokens) {
     if (token.type === 'html') {
       const trimmed = token.raw.trimStart()
@@ -318,7 +314,7 @@ function stripHtmlCommentsFromTokens(tokens: ReturnType<Lexer['lex']>): {
         // Per CommonMark, a type-2 HTML block ends at the *line* containing
         // `-->`, so text after `-->` on that line is part of this token.
         // Strip only the comment spans and keep any residual content.
-        const residue = token.raw.replace(commentSpan, '')
+        const residue = stripHtmlCommentSpans(token.raw)
         stripped = true
         if (residue.trim().length > 0) {
           // Residual content exists (e.g. `<!-- note --> Use bun`): keep it.
@@ -333,6 +329,20 @@ function stripHtmlCommentsFromTokens(tokens: ReturnType<Lexer['lex']>): {
   return { content: result, stripped }
 }
 
+function stripHtmlCommentSpans(raw: string): string {
+  let residue = raw
+
+  while (residue.includes('<!--')) {
+    const updated = residue.replace(/<!--[\s\S]*?-->/g, '')
+    if (updated === residue) {
+      break
+    }
+    residue = updated
+  }
+
+  return residue
+}
+
 /**
  * Parses raw memory file content into a MemoryFileInfo. Pure function — no I/O.
  *
@@ -504,8 +514,7 @@ function extractIncludePathsFromTokens(
         const raw = element.raw || ''
         const trimmed = raw.trimStart()
         if (trimmed.startsWith('<!--') && trimmed.includes('-->')) {
-          const commentSpan = /<!--[\s\S]*?-->/g
-          const residue = raw.replace(commentSpan, '')
+          const residue = stripHtmlCommentSpans(raw)
           if (residue.trim().length > 0) {
             extractPathsFromText(residue)
           }

src/utils/log.ts

@@ -159,7 +159,7 @@ export function logError(error: unknown): void {
   const err = toError(error)
   if (feature('HARD_FAIL') && isHardFailMode()) {
     // biome-ignore lint/suspicious/noConsole:: intentional crash output
-    console.error('[HARD FAIL] logError called with:', err.stack || err.message)
+    console.error('[HARD FAIL] logError called:', err.name || 'Error')
     // eslint-disable-next-line custom-rules/no-process-exit
     process.exit(1)
   }

src/utils/words.ts

@@ -3,7 +3,7 @@
  * Inspired by https://github.com/nas5w/random-word-slugs
  * with Claude-flavored words
  */
-import { randomBytes } from 'crypto'
+import { randomInt as cryptoRandomInt } from 'crypto'
 
 // Adjectives for slug generation - whimsical and delightful
 const ADJECTIVES = [
@@ -765,10 +765,7 @@ const VERBS = [
  * Generate a cryptographically random integer in the range [0, max)
  */
 function randomInt(max: number): number {
-  // Use crypto.randomBytes for better randomness than Math.random
-  const bytes = randomBytes(4)
-  const value = bytes.readUInt32BE(0)
-  return value % max
+  return cryptoRandomInt(max)
 }
 
 /**