Please report security vulnerabilities through GitHub's private vulnerability reporting.

Do not open a public issue for security vulnerabilities.

We will acknowledge your report within 7 days and aim to release a fix within 30 days of confirmation.

Security issues relevant to this project include:

• Command injection via terminal spawning or JSONL parsing
• Arbitrary file read/write beyond intended paths
• Cross-site scripting (XSS) in the webview
• Sensitive data exposure (e.g., leaking terminal output or session content)