feat(core): add production validation mode with security config

Implements Priority 4 (LOW) security enhancement: production validation mode.

Changes:
- New config.py module with SecurityConfig TypedDict
- Environment variable support for security settings
- Updated factory functions to respect global validation config
- Factory functions now accept Optional[bool] for validation:
  - None: use global config (default)
  - True: force validation
  - False: skip validation

Environment Variables:
- CLI_PATTERNS_ENABLE_VALIDATION: Enable strict validation (default: false)
- CLI_PATTERNS_MAX_JSON_DEPTH: Max nesting depth (default: 50)
- CLI_PATTERNS_MAX_COLLECTION_SIZE: Max collection size (default: 1000)
- CLI_PATTERNS_ALLOW_SHELL: Allow shell features globally (default: false)

Benefits:
- Zero-overhead validation in development (default: off)
- Easy enablement for production via environment variable
- Consistent validation behavior across all factory functions
- Configurable DoS protection limits

Usage:
```bash
# Production deployment
export CLI_PATTERNS_ENABLE_VALIDATION=true
```

All 782 tests passing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: dugshub

src/cli_patterns/core/config.py

@@ -0,0 +1,123 @@
+"""Configuration for CLI Patterns core behavior.
+
+This module provides security and runtime configuration through environment
+variables and TypedDict configurations.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import TypedDict
+
+
+class SecurityConfig(TypedDict):
+    """Security configuration settings.
+
+    These settings control security features like validation strictness,
+    DoS protection limits, and shell feature permissions.
+    """
+
+    enable_validation: bool
+    """Enable strict validation for all factory functions.
+
+    When True, factory functions perform validation on inputs.
+    Default: False (for performance in development).
+    Recommended for production: True
+    """
+
+    max_json_depth: int
+    """Maximum nesting depth for JSON values.
+
+    Prevents DoS attacks via deeply nested structures.
+    Default: 50 levels
+    """
+
+    max_collection_size: int
+    """Maximum size for collections.
+
+    Prevents memory exhaustion from large data structures.
+    Default: 1000 items
+    """
+
+    allow_shell_features: bool
+    """Allow shell features by default (INSECURE).
+
+    When True, shell features (pipes, redirects, etc.) are allowed by default.
+    Default: False (secure)
+    WARNING: Setting this to True is a security risk. Always use per-action
+    configuration instead.
+    """
+
+
+def get_security_config() -> SecurityConfig:
+    """Get security configuration from environment variables.
+
+    Environment Variables:
+        CLI_PATTERNS_ENABLE_VALIDATION: Enable strict validation (default: false)
+            Set to 'true' to enable validation in factory functions.
+
+        CLI_PATTERNS_MAX_JSON_DEPTH: Max JSON nesting depth (default: 50)
+            Controls maximum depth for nested data structures.
+
+        CLI_PATTERNS_MAX_COLLECTION_SIZE: Max collection size (default: 1000)
+            Controls maximum number of items in collections.
+
+        CLI_PATTERNS_ALLOW_SHELL: Allow shell features globally (default: false)
+            WARNING: Setting to 'true' is insecure. Use per-action configuration.
+
+    Returns:
+        SecurityConfig with settings from environment or defaults
+
+    Example:
+        >>> os.environ['CLI_PATTERNS_ENABLE_VALIDATION'] = 'true'
+        >>> config = get_security_config()
+        >>> config['enable_validation']
+        True
+    """
+    return SecurityConfig(
+        enable_validation=os.getenv("CLI_PATTERNS_ENABLE_VALIDATION", "false").lower()
+        == "true",
+        max_json_depth=int(os.getenv("CLI_PATTERNS_MAX_JSON_DEPTH", "50")),
+        max_collection_size=int(os.getenv("CLI_PATTERNS_MAX_COLLECTION_SIZE", "1000")),
+        allow_shell_features=os.getenv("CLI_PATTERNS_ALLOW_SHELL", "false").lower()
+        == "true",
+    )
+
+
+# Global config instance (cached)
+_security_config: SecurityConfig | None = None
+
+
+def get_config() -> SecurityConfig:
+    """Get global security config (cached).
+
+    This function caches the configuration on first call to avoid
+    repeated environment variable lookups.
+
+    Returns:
+        Cached SecurityConfig instance
+
+    Example:
+        >>> config = get_config()
+        >>> if config['enable_validation']:
+        ...     # Perform validation
+        ...     pass
+    """
+    global _security_config
+    if _security_config is None:
+        _security_config = get_security_config()
+    return _security_config
+
+
+def reset_config() -> None:
+    """Reset cached configuration.
+
+    This is primarily useful for testing when you need to reload
+    configuration from environment variables.
+
+    Example:
+        >>> reset_config()
+        >>> # Config will be reloaded on next get_config() call
+    """
+    global _security_config
+    _security_config = None

src/cli_patterns/core/types.py

@@ -17,7 +17,7 @@
 
 from __future__ import annotations
 
-from typing import Any, NewType, Union
+from typing import Any, NewType, Optional, Union
 
 from typing_extensions import TypeGuard
 
@@ -63,19 +63,25 @@
 
 
 # Factory functions for creating semantic types
-def make_branch_id(value: str, validate: bool = False) -> BranchId:
+def make_branch_id(value: str, validate: Optional[bool] = None) -> BranchId:
     """Create a BranchId from a string value.
 
     Args:
         value: String value to convert to BranchId
-        validate: If True, validate the input (default: False for zero overhead)
+        validate: If True, validate input. If None, use global config. If False, skip.
 
     Returns:
         BranchId with semantic type safety
 
     Raises:
         ValueError: If validate=True and value is invalid
     """
+    if validate is None:
+        # Import here to avoid circular dependency
+        from cli_patterns.core.config import get_config
+
+        validate = get_config()["enable_validation"]
+
     if validate:
         if not value or not value.strip():
             raise ValueError("BranchId cannot be empty")
@@ -84,19 +90,24 @@ def make_branch_id(value: str, validate: bool = False) -> BranchId:
     return BranchId(value)
 
 
-def make_action_id(value: str, validate: bool = False) -> ActionId:
+def make_action_id(value: str, validate: Optional[bool] = None) -> ActionId:
     """Create an ActionId from a string value.
 
     Args:
         value: String value to convert to ActionId
-        validate: If True, validate the input (default: False for zero overhead)
+        validate: If True, validate input. If None, use global config. If False, skip.
 
     Returns:
         ActionId with semantic type safety
 
     Raises:
         ValueError: If validate=True and value is invalid
     """
+    if validate is None:
+        from cli_patterns.core.config import get_config
+
+        validate = get_config()["enable_validation"]
+
     if validate:
         if not value or not value.strip():
             raise ValueError("ActionId cannot be empty")
@@ -105,19 +116,24 @@ def make_action_id(value: str, validate: bool = False) -> ActionId:
     return ActionId(value)
 
 
-def make_option_key(value: str, validate: bool = False) -> OptionKey:
+def make_option_key(value: str, validate: Optional[bool] = None) -> OptionKey:
     """Create an OptionKey from a string value.
 
     Args:
         value: String value to convert to OptionKey
-        validate: If True, validate the input (default: False for zero overhead)
+        validate: If True, validate input. If None, use global config. If False, skip.
 
     Returns:
         OptionKey with semantic type safety
 
     Raises:
         ValueError: If validate=True and value is invalid
     """
+    if validate is None:
+        from cli_patterns.core.config import get_config
+
+        validate = get_config()["enable_validation"]
+
     if validate:
         if not value or not value.strip():
             raise ValueError("OptionKey cannot be empty")
@@ -126,19 +142,24 @@ def make_option_key(value: str, validate: bool = False) -> OptionKey:
     return OptionKey(value)
 
 
-def make_menu_id(value: str, validate: bool = False) -> MenuId:
+def make_menu_id(value: str, validate: Optional[bool] = None) -> MenuId:
     """Create a MenuId from a string value.
 
     Args:
         value: String value to convert to MenuId
-        validate: If True, validate the input (default: False for zero overhead)
+        validate: If True, validate input. If None, use global config. If False, skip.
 
     Returns:
         MenuId with semantic type safety
 
     Raises:
         ValueError: If validate=True and value is invalid
     """
+    if validate is None:
+        from cli_patterns.core.config import get_config
+
+        validate = get_config()["enable_validation"]
+
     if validate:
         if not value or not value.strip():
             raise ValueError("MenuId cannot be empty")