refactor: enhance pattern detection and symlink safety

- Expand sensitive data patterns (credentials, cloud configs, media folders)
- Add symlink target validation in path deletion checks
- Remove shared Gradle cache from Android Studio cleanup

lib/core/file_ops.sh

@@ -39,6 +39,25 @@ validate_path_for_deletion() {
         return 1
     fi
 
+    # Check symlink target if path is a symbolic link
+    if [[ -L "$path" ]]; then
+        local link_target
+        link_target=$(readlink "$path" 2>/dev/null) || {
+            log_error "Cannot read symlink: $path"
+            return 1
+        }
+
+        # If symlink points to absolute path, validate target
+        if [[ "$link_target" == /* ]]; then
+            case "$link_target" in
+            /System/* | /usr/bin/* | /usr/lib/* | /bin/* | /sbin/* | /private/etc/*)
+                log_error "Symlink points to protected system path: $path -> $link_target"
+                return 1
+                ;;
+            esac
+        fi
+    fi
+
     # Check path is absolute
     if [[ "$path" != /* ]]; then
         log_error "Path validation failed: path must be absolute: $path"

lib/uninstall/batch.sh

@@ -30,6 +30,32 @@ SENSITIVE_DATA_REGEX=$(
     echo "${SENSITIVE_DATA_PATTERNS[*]}"
 )
 
+# High-performance sensitive data detection (pure Bash, no subprocess)
+# Faster than grep for batch operations, especially when processing many apps
+has_sensitive_data() {
+    local files="$1"
+    [[ -z "$files" ]] && return 1
+
+    while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+
+        # Use Bash native pattern matching (faster than spawning grep)
+        case "$file" in
+        */.warp* | */.config/* | */themes/* | */settings/* | */User\ Data/* | \
+            */.ssh/* | */.gnupg/* | */Documents/* | */Preferences/*.plist | \
+            */Desktop/* | */Downloads/* | */Movies/* | */Music/* | */Pictures/* | \
+            */.password* | */.token* | */.auth* | */keychain* | \
+            */Passwords/* | */Accounts/* | */Cookies/* | \
+            */.aws/* | */.docker/config.json | */.kube/* | \
+            */credentials/* | */secrets/*)
+            return 0 # Found sensitive data
+            ;;
+        esac
+    done <<<"$files"
+
+    return 1 # Not found
+}
+
 # Decode and validate base64 file list (safe for set -e).
 decode_file_list() {
     local encoded="$1"
@@ -230,7 +256,7 @@ batch_uninstall_applications() {
 
         # Check for sensitive user data once.
         local has_sensitive_data="false"
-        if [[ -n "$related_files" ]] && echo "$related_files" | grep -qE "$SENSITIVE_DATA_REGEX"; then
+        if has_sensitive_data "$related_files"; then
             has_sensitive_data="true"
         fi