feat: $sanitize (spec 013) and $exceptionHandler (spec 014)

[Mgrdich]

Summary

Ships two AngularJS-parity services and the planning docs for a follow-up.

Spec 013 — $sanitize (HTML sanitization):

• Opt-in ngSanitize module (separate ./sanitize subpath, never on core ng) — apps that don't render untrusted HTML pay no cost.
• ESM-first createSanitize / sanitize factory + $SanitizeProvider DI shim with addValidElements / addValidAttrs / enableSvg / uriPattern setters.
• Regex-based HTML tokenizer ported faithfully from AngularJS 1.x htmlParser; tag + attribute + URL-protocol allow-lists default to AngularJS 1.8.x.
• $sce.getTrustedHtml automatically delegates plain strings through $sanitize when ngSanitize is loaded — lazy $injector.has('$sanitize') lookup, no hard dep, no decoration.
• Dedicated cve-regressions.test.ts covers historical ngSanitize advisories (CVE-2020-7676, CVE-2018-12116, CVE-2014-3506).
• DOMPurify-compat decorator pattern documented.

Spec 014 — $exceptionHandler (centralized exception routing):

• Core ng module registers $exceptionHandler (default = console.error); apps override via module.factory or module.decorator.
• Six console.error swallowing sites in src/core/scope.ts (watchFn, watchListener, $evalAsync, $applyAsync, $$postDigest, eventListener) plus the digest TTL throw all route through a recursion-guarded invokeExceptionHandler helper.
• $interpolate render-time errors caught and routed via $exceptionHandler with cause '$interpolate'; failed expression slots render as ''; allOrNothing and oneTime short-circuits preserved.
• Eight-token EXCEPTION_HANDLER_CAUSES vocabulary frozen and exported as an ExceptionHandlerCause union.
• Scope.create({ exceptionHandler }) and createInterpolate({ exceptionHandler }) accept the option for ESM consumers.

Spec 015 — $provide (planning only):

• Functional + technical spec drafted; implementation lands in a follow-up PR.
• Closes the AngularJS-canonical config(['$provide', \$p => \$p.factory(...)]) gap surfaced by spec 014's skipped DI test (one of the six skipped tests in this PR waits on \$provide).
• Roadmap updated under Phase 1 DI as a follow-up backlog item.

Test plan

• pnpm lint — clean
• pnpm format:check — clean
• pnpm typecheck — clean
• pnpm test — 1603 passing + 6 skipped across 45 files (one skipped test waits on spec 015 / \$provide)
• pnpm build — succeeds; new ./sanitize and ./exception-handler subpaths emit .mjs, .cjs, and .d.ts
• All prior spec suites (002, 003, 006, 007–012) continue to pass unchanged
• AWOS verification: specs 013 and 014 both marked Status: Completed; roadmap items ticked

Docs

• CLAUDE.md gains ./sanitize and ./exception-handler Modules rows, new Non-obvious-invariants bullets (opt-in ngSanitize; digest "log and continue" through \$exceptionHandler), and two new "Where to look when…" entries.
• New src/sanitize/README.md and src/exception-handler/README.md document override patterns, allow-list extension recipes, the recursion-guard contract, and CVE-regression coverage.
• package.json exports, rollup.config.mjs build entries, and path aliases (tsconfig.json, vitest.config.ts, rollup.config.mjs) extended for both new subpaths.
• context/product/roadmap.md ticks Security (\$sanitize) and Exception Handling (\$exceptionHandler); adds a Phase 1 DI follow-up entry for spec 015's \$provide.

🤖 Generated with Claude Code