fix: critical security vulnerabilities in IPC handlers and renderer

[navedr]

Summary

Security audit identified several critical and high-severity vulnerabilities. This PR fixes the top 6:

• Arbitrary file read/write via IPC — read-file-for-panel, save-file-for-panel, watch-file, read-memory, and save-memory accepted any file path from the renderer with no validation. Added path allowlisting (~/.claude/ + active session project dirs).
• XSS via unsanitized markdown — marked.parse() output was assigned to innerHTML without sanitization. Added DOMPurify to sanitize all markdown rendering.
• Command injection via session options — permissionMode, worktreeName, and addDirs were interpolated into shell command strings without validation. Added shell metacharacter rejection.
• No Content Security Policy — Added CSP header (default-src 'self') via session.defaultSession.webRequest.onHeadersReceived.

What's NOT in this PR

• preLaunchCmd is intentionally a shell command (by design), so it's left as-is. A future refactor could move PTY spawning to array-based args to eliminate the entire shell interpretation surface.
• macOS entitlements (allow-dyld-environment-variables, etc.) are required by native modules and can't be tightened without breaking node-pty/better-sqlite3.

Files changed

File	Change
main.js	Path validation helper, shell arg validation, CSP header, secured 5 IPC handlers
package.json	Added dompurify dependency
public/index.html	Load DOMPurify script
public/viewer-toolbar.js	Sanitize marked output
public/viewer-panel.js	Sanitize marked output

Test plan

• npm test passes
• npm run bundle:codemirror builds successfully
• Verify markdown preview still renders correctly in plans/memory viewers
• Verify file panel opens/saves files within project directories
• Verify file panel rejects paths outside project directories
• Verify new session launch with worktree name / additional dirs still works
• Verify CSP doesn't break any existing functionality (xterm, codemirror, etc.)

🤖 Generated with Claude Code

[abasiri]

Great stuff. Thank you

[abasiri]

@navedr the OSC8 hyperlinks in the terminal can point to any file. So in Claude when you are modifying a file, it becomes clickable and clicking it opens it in a side panel. So this restriction would break that:

Read-file-for-panel, save-file-for-panel, watch-file.

[navedr]

Good point — updated in dc2e2a4.

Changed the approach for file panel IPC (read-file-for-panel, save-file-for-panel, watch-file):

• Before: strict allowlist (only ~/.claude/ + active project dirs) — would break OSC8 hyperlinks
• After: denylist of known-sensitive paths (.ssh/, .gnupg/, .aws/credentials, .env, .netrc, .docker/config.json, .kube/config)

Memory IPC (read-memory, save-memory) keeps the strict allowlist since those only need ~/.claude/ and project dirs.

The primary defense against the XSS→file-access chain is CSP + DOMPurify — the sensitive path denylist is defense-in-depth.