fix: use exclusive file creation for chroot-hosts to address CWE-377

Use fs.openSync with O_CREAT|O_EXCL instead of copyFileSync/writeFileSync
to securely create the chroot-hosts temp file. This prevents symlink and
TOCTOU attacks flagged by CodeQL's js/insecure-temporary-file rule.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

src/docker-manager.ts

@@ -501,11 +501,21 @@ export function generateDockerCompose(
     //    split DNS, and other custom resolvers not available inside the container)
     // 2. Inject host.docker.internal when --enable-host-access is set
     const chrootHostsPath = path.join(config.workDir, 'chroot-hosts');
+    // Read host's /etc/hosts content (fallback to minimal if unreadable)
+    let hostsInitialContent = '127.0.0.1 localhost\n';
     try {
-      fs.copyFileSync('/etc/hosts', chrootHostsPath);
+      hostsInitialContent = fs.readFileSync('/etc/hosts', 'utf-8');
     } catch {
-      fs.writeFileSync(chrootHostsPath, '127.0.0.1 localhost\n');
+      // /etc/hosts not readable, use minimal fallback
     }
+    // Securely create file with O_EXCL to prevent symlink/TOCTOU attacks (CWE-377)
+    const fd = fs.openSync(
+      chrootHostsPath,
+      fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL,
+      0o600,
+    );
+    fs.writeSync(fd, hostsInitialContent);
+    fs.closeSync(fd);
 
     // Pre-resolve allowed domains on the host and inject into /etc/hosts
     // This is critical for domains that rely on custom DNS (e.g., Tailscale MagicDNS