feat: Enhance XML escaping in metadata and project structure for improved safety

Author: Ashjha75

index.js

@@ -1490,21 +1490,25 @@
                 parts.push('<codebase_context>\n\n');
 
                 parts.push('<metadata>\n');
-                parts.push(`  <generated_at>${timestamp}</generated_at>\n`);
-                parts.push(`  <formatted_date>${formattedDate}</formatted_date>\n`);
-                parts.push(`  <project_root>${S.root}</project_root>\n`);
+                parts.push(`  <generated_at>${xmlEscape(timestamp)}</generated_at>\n`);
+                parts.push(`  <formatted_date>${xmlEscape(formattedDate)}</formatted_date>\n`);
+                parts.push(`  <project_root>${xmlEscape(S.root)}</project_root>\n`);
                 parts.push(`  <statistics>\n`);
                 parts.push(`    <total_files>${totalFiles}</total_files>\n`);
                 parts.push(`    <total_size>${bytes(totalSize)}</total_size>\n`);
                 parts.push(`    <estimated_tokens>${estimatedTokens}</estimated_tokens>\n`);
                 parts.push(`  </statistics>\n`);
                 parts.push(`  <languages>\n`);
                 Object.entries(langStats).sort((a, b) => b[1] - a[1]).forEach(([lang, count]) => {
-                    parts.push(`    <language name="${lang}" count="${count}" />\n`);
+                    parts.push(`    <language name="${xmlEscape(lang)}" count="${count}" />\n`);
                 });
                 parts.push(`  </languages>\n`);
                 parts.push('</metadata>\n\n');
 
+                // Human-readable header (XML-safe comment) to mark the system prompt section
+                parts.push('<!-- 🎯 SYSTEM PROMPT -->\n');
+                // Human-readable header (XML-safe comment) to mark the system prompt section
+                parts.push('<!-- 🎯 SYSTEM PROMPT -->\n');
                 parts.push('<system_prompt>\n');
                 parts.push('  <role>Expert Software Engineer</role>\n');
                 parts.push('  <task>Analyze and work with this complete codebase</task>\n');
@@ -1524,7 +1528,7 @@
                 parts.push('  </data_format>\n');
                 parts.push('</system_prompt>\n\n');
 
-                parts.push('<project_structure>\n', struct, '</project_structure>\n\n');
+                parts.push('<project_structure><![CDATA[' + struct + ']]></project_structure>\n\n');
                 parts.push('<source_files>\n');
             } else if (S.model === 'gemini') {
                 parts.push('# 🚀 COMPLETE PROJECT CONTEXT FOR GEMINI\n');
@@ -1547,7 +1551,8 @@
                 });
                 parts.push('\n');
 
-                parts.push('## 🧠 SYSTEM PROMPT & INSTRUCTIONS\n\n');
+                // Use unified human-readable header for Gemini output
+                parts.push('## 🎯 SYSTEM PROMPT\n');
                 parts.push('> **Role**: Expert Software Engineer and Code Analyst\n\n');
                 parts.push('**📌 Key Instructions:**\n\n');
                 parts.push('1. **Complete Context**: This is the FULL and AUTHORITATIVE codebase\n');

style.css

@@ -4,15 +4,23 @@
     color: #e8e8e8;
     border: 1px solid #444;
     border-radius: 4px;
-    padding: 2px 8px;
-    font-size: 1em;
+    padding: 6px 34px 6px 10px;
+    font-size: 0.95em;
     margin-left: 4px;
     margin-right: 2px;
     outline: none;
-    transition: border 0.15s;
+    transition: border 0.15s, box-shadow 0.15s;
+    appearance: none;
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    background-image: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" width="10" height="6"><path fill="%23e8e8e8" d="M0 0 L5 6 L10 0 Z"/></svg>');
+    background-repeat: no-repeat;
+    background-position: right 8px center;
+    background-size: 10px 6px;
 }
 #modelSelector:focus {
     border-color: #fbbf24;
+    box-shadow: 0 0 0 3px rgba(251,187,36,0.08);
 }
 /* Only sidebar main action icons (Select Directory, Create Context) black and small */
 .sidebar-btn-icon {