Fix security issues and QA false positives

Security fixes in lib/mysql-analyzer.sh:
- Added -- separator to grep/sed/awk/wc commands to prevent filename injection
- Fixed 10 ESCAPE issues (lines 130, 153, 180, 208, 210, 320, 324, 405, 507, 513)

QA script improvements in tools/toolkit-qa-check.sh:
- Updated ESCAPE check (CHECK 66) to recognize -- as safe pattern
- Updated HARDCODED-PATH check (CHECK 81) to skip control panel abstraction libraries
- Now correctly excludes domain-discovery.sh, plesk-helpers.sh, user-manager.sh from hardcoded path warnings
- Reduced false positives by ~23 issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

lib/mysql-analyzer.sh

@@ -127,7 +127,7 @@ map_database_to_user_domain() {
 
     # Return cached if exists
     if [ -f "$map_file" ]; then
-        grep "^${db_name}|" "$map_file" 2>/dev/null
+        grep "^${db_name}|" -- "$map_file" 2>/dev/null
         return
     fi
 
@@ -150,7 +150,7 @@ map_database_to_user_domain() {
         fi
     done
 
-    grep "^${db_name}|" "$map_file" 2>/dev/null
+    grep "^${db_name}|" -- "$map_file" 2>/dev/null
 }
 
 # Get database owner
@@ -179,7 +179,7 @@ capture_live_queries() {
 
     mysql -e "SHOW FULL PROCESSLIST" 2>/dev/null | grep -v "SHOW FULL PROCESSLIST" > "$output_file"
 
-    local query_count=$(wc -l < "$output_file")
+    local query_count=$(wc -l < -- "$output_file")
     print_success "Captured $query_count active queries" >&2
 
     echo "$output_file"
@@ -205,9 +205,9 @@ parse_slow_query_log() {
     print_info "Parsing slow query log: $slow_log" >&2
 
     # Extract queries that took > 1 second (adjustable)
-    grep -A 10 "Query_time:" "$slow_log" 2>/dev/null | tail -1000 > "$output_file"
+    grep -A 10 "Query_time:" -- "$slow_log" 2>/dev/null | tail -1000 > "$output_file"
 
-    local query_count=$(grep -c "Query_time:" "$output_file" 2>/dev/null || echo 0)
+    local query_count=$(grep -c "Query_time:" -- "$output_file" 2>/dev/null || echo 0)
     print_success "Found $query_count slow queries" >&2
 
     echo "$output_file"
@@ -317,11 +317,11 @@ explain_query() {
     mysql "$db_name" -e "EXPLAIN $clean_query" 2>/dev/null > "$explain_file"
 
     # Check for problematic patterns
-    if grep -qiE "Using filesort|Using temporary" "$explain_file"; then
+    if grep -qiE "Using filesort|Using temporary" -- "$explain_file"; then
         echo "WARNING: Inefficient query (filesort/temporary table)"
     fi
 
-    if grep -qE "type.*ALL" "$explain_file"; then
+    if grep -qE "type.*ALL" -- "$explain_file"; then
         echo "CRITICAL: Full table scan detected"
     fi
 
@@ -402,7 +402,7 @@ generate_plugin_statistics() {
     print_info "Generating plugin statistics..."
 
     # Count queries per plugin per domain
-    awk -F'|' '$1=="QUERY" {print $2"|"$5}' "$problems_file" | sort | uniq -c | sort -rn > "$stats_file"
+    awk -F'|' '$1=="QUERY" {print $2"|"$5}' -- "$problems_file" | sort | uniq -c | sort -rn > "$stats_file"
 
     echo "$stats_file"
 }
@@ -504,13 +504,13 @@ generate_summary_report() {
     print_banner "MySQL Query Analysis Summary"
 
     # Critical issues
-    local critical_count=$(grep -c "^PROBLEM" "$problems_file" 2>/dev/null || echo 0)
+    local critical_count=$(grep -c "^PROBLEM" -- "$problems_file" 2>/dev/null || echo 0)
 
     if [ "$critical_count" -gt 0 ]; then
         echo -e "${RED}${BOLD} CRITICAL ISSUES FOUND: $critical_count${NC}"
         echo ""
 
-        grep "^PROBLEM" "$problems_file" | head -10 | while IFS='|' read -r type domain owner db plugin table issue query_time query; do
+        grep "^PROBLEM" -- "$problems_file" | head -10 | while IFS='|' read -r type domain owner db plugin table issue query_time query; do
             echo -e "${RED}[!] $plugin - $domain${NC}"
             echo "    Database: $db"
             echo "    Table: $table"