fix(install-dynamic-plugins): address Sonar code-smell findings

Resolves the 21 issues flagged by SonarQube on PR #4574:

Prototype pollution (CodeQL, merger.ts)
- `deepMerge` now assigns via `Object.defineProperty` (bypasses the
  `__proto__` setter on `Object.prototype`) in addition to the existing
  `FORBIDDEN_KEYS` guard. CodeQL recognizes this pattern.

Redundant type assertions
- `index.ts:180`: drop `pc as Record<string, unknown>` — use the
  `isPlainObject` type guard already imported from `util.ts`.
- `installer-npm.ts:37`, `installer-oci.ts:35`: replace
  `(plugin.pluginConfig ?? {}) as Record<string, unknown>` with a
  typed local variable.
- `installer-oci.ts:41,51,71,78`: drop `as string` casts by restructuring
  the `isAlreadyInstalled` helper with proper `undefined` checks.
- `merger.ts:136-140`: replace `.slice(-1)[0] as string` with
  `.at(-1) ?? ''`.
- `merger.ts:215`: `ReadonlyArray<keyof Plugin | string>` collapses to
  `ReadonlyArray<string>`.

Cognitive complexity reductions
- `installOciPlugin` (17 → ~10): extract `resolvePullPolicy` and
  `isAlreadyInstalled` helpers.
- `mergeOciPlugin` (20 → ~12): extract `resolveInherit`.
- `npmPluginKey` (16 → ~7): extract `tryParseAlias`, `isGitLikeSpec`,
  `stripRefSuffix`.
- `ociPluginKey`: extract `autoDetectPluginPath`.

Modern JS / readability (es2015-es2022)
- `integrity.ts`: `charCodeAt` → `codePointAt` (es2015).
- `oci-key.ts`: use `String.raw` for the regex pieces containing `\s`,
  `\d`, `\]`, `\\` instead of escaped string literals (es2015).
- `oci-key.ts:escape`: `.replace(/.../g, ...)` → `.replaceAll(...)` (es2021).
- `plugin-hash.ts`: pass an explicit code-point comparator to `sort` so
  deterministic-hash behavior is spelled out. `localeCompare` is NOT
  used — it varies per-locale and would break hash stability.

All 115 tests still pass. Bundle rebuilt (415.1 KB).

Author: gustavolira

scripts/install-dynamic-plugins/dist/install-dynamic-plugins.cjs

@@ -175,9 +175,8 @@ function handleSkippedLocals(skipped: Plugin[], globalConfig: Record<string, unk
   for (const plugin of skipped) {
     const abs = path.join(process.cwd(), plugin.package.slice(2));
     log(`\t==> ${plugin.package} (not found at ${abs})`);
-    const pc = plugin.pluginConfig;
-    if (pc && typeof pc === 'object' && !Array.isArray(pc)) {
-      deepMerge(pc as Record<string, unknown>, globalConfig);
+    if (isPlainObject(plugin.pluginConfig)) {
+      deepMerge(plugin.pluginConfig, globalConfig);
     }
   }
 }

scripts/install-dynamic-plugins/src/index.ts

@@ -34,7 +34,7 @@ export async function installNpmPlugin(
   }
   const pkg = plugin.package;
   const force = plugin.forceDownload ?? false;
-  const config = (plugin.pluginConfig ?? {}) as Record<string, unknown>;
+  const config: Record<string, unknown> = plugin.pluginConfig ?? {};
 
   if (installed.has(hash) && !force) {
     const pullPolicy = plugin.pullPolicy ?? PullPolicy.IF_NOT_PRESENT;