fix: patch 4 high-severity bugs from codebase review

[dbfx]

Summary

• fix(file-utils): isExcluded() hardcoded path normalization to backslash (\), completely breaking exclusion matching on Linux and macOS where / is the path separator. Now uses platform-aware separator.
• fix(cloud-agent): handleUpdateThreatBlacklist validated the URL hostname for private IP literals but never called assertPublicResolution() to check DNS resolution, leaving a DNS rebinding SSRF vector. Now calls the existing assertPublicResolution() before downloading.
• fix(service-manager): applyServiceChanges only allowed Manual or Disabled start types — any request to restore a service to Automatic or AutomaticDelayed was silently downgraded to Disabled. Now supports all 4 valid start types via an allowlist.
• fix(index): Windows Task Scheduler XML was written as UTF-16LE without a BOM. schtasks /Create expects a BOM to correctly identify the encoding; without it, auto-launch registration can silently fail (especially with non-ASCII exe paths). Added \uFEFF BOM.

Test plan

• All 779 existing tests pass
• Verify exclusion rules work on Linux/macOS (e.g. add a path exclusion, run a scan, confirm excluded paths are skipped)
• Verify service manager can restore a service to Automatic start type on Windows
• Verify auto-launch registration works on Windows with a path containing spaces
• Verify threat blacklist update rejects domains resolving to private IPs

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2b77c88150

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".