fix(frontend): harden markdown rendering and allow cross-origin AI links

[topher-lo]

Summary by cubic

Hardened markdown by trusting only real KaTeX output and stripping inline styles elsewhere. Also enabled cross‑origin links/images and set a default origin to resolve relative URLs.

• New Features

  • Allow cross‑origin links and images; pass defaultOrigin=https://tracecat.local to all Streamdown instances for path‑relative URLs.

• Bug Fixes

  • Strip all inline styles outside trusted KaTeX trees; inside KaTeX, allow only a small set of style properties/values and canonicalize them.
  • Extend sanitize schema with MathML/SVG tags and safe attributes; rely on Streamdown’s built‑in KaTeX; add tests for style stripping and filtering.

^{Written for commit 69fbb94. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 4 files

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 91fc59fbfe

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".