fix: security hardening from external audit

[lfl1337]

Background

An external security audit on v0.5.7 (commit b181826) surfaced one HIGH and two MEDIUM findings plus a LOW error-hygiene note. The audit used npm audit, Trivy, OSV-Scanner, gitleaks, Semgrep (six rule packs), njsscan, manual review, and runtime fuzzing against pathological JSONL. Supply-chain posture was clean: zero CVEs, zero secret findings over the full git history, zero Semgrep hits. The findings are all in application code and all share one threat model: an attacker with write access to ~/.claude/projects/<x>/ (realistic carrier: a compromised third-party AI CLI that shares the session-log directory).

This PR closes all four findings on the current v0.7.0 surface.

Findings Closed

Finding	Fix
HIGH-1 prototype pollution via bracket-assign on breakdown maps (parser.ts)	Object.create(null) for the four reachable maps (model, tool, mcp, bash). Four lines touched. Attacker-controlled keys named __proto__ now create an own property on the map rather than mutating Object.prototype. Empirical fuzzing in the audit confirmed the polluted state crashes piped-mode output via Ink/yoga (codeburn today | cat).
MEDIUM-1 unbounded readFile on attacker-sized JSONL	New src/fs-utils.ts with a 128 MB hard cap and 8 MB streaming threshold. readSessionFile / readSessionFileSync / readSessionLines replace every direct readFile on session paths. Files above the cap return null and skip silently (or log under --verbose). Files between the streaming threshold and the cap read via createReadStream + readline to avoid the readFile + split('\n') doubling.
MEDIUM-2 SwiftBar directive separator injection via unsanitized model names	sanitizeMenubarLabel replaces anything outside [A-Za-z0-9 ._/-] with ? and truncates to 14 chars before padEnd. Applied to all model- and category-name interpolation sites across today / 7d / 30d / month blocks.
LOW-1 silent error swallow in parseSessionFile	Helper emits codeburn: stat failed for <path>: <code> / codeburn: skipped oversize file … / codeburn: read failed for <path>: <code> to stderr when CODEBURN_VERBOSE=1. New global --verbose CLI flag sets the env var via a commander preAction hook. Default behavior unchanged.

Scope Expansion vs. Audit

The audit was on v0.5.7 and listed 6 MEDIUM-1 call-sites. Between v0.5.7 and v0.7.0 three more files grew similar unbounded-read patterns, bringing the total to 13:

• src/optimize.ts — 1 async + 3 sync reads (v0.7.0)
• src/context-budget.ts — 3 async reads (v0.6.1)
• src/providers/copilot.ts — 1 additional site at :181 for workspace.yaml (v0.6.0)

The helper migration covers all 13. The same threat model applies — any JSONL dropped into the Claude projects directory can reach these readers, so fixing only the audit-original six would leave live paths open on the current release.

Test Coverage

New tests (11 added, all pass):

• tests/security/prototype-pollution.test.ts — three cases reproducing the HIGH-1 PoC (tool-use __proto__, bash basename __proto__, model __proto__). Fixtures in tests/fixtures/security/.
• tests/fs-utils.test.ts — five cases covering the fast path, stream-threshold path, over-cap skip, verbose stderr, and stat-failure.
• tests/security/menubar-injection.test.ts — three cases for pipe-in-model, ANSI-in-model, pipe-in-category.

Full suite: 209/209 pass (198 pre-existing + 11 new). No other test files modified.

Verification

Re-ran Semgrep (p/javascript + p/typescript + p/security-audit + p/owasp-top-ten + p/nodejs) and njsscan on the patched branch. Both produced the same output as the v0.7.0 baseline — Semgrep 0 findings, njsscan 1 pre-existing dismissed false positive on src/providers/cursor.ts. No new finding classes introduced by the 93 LOC of src/fs-utils.ts or the edits elsewhere.

Manual runtime check: codeburn report, codeburn today, codeburn optimize, codeburn menubar all render normally on real session data.

Compatibility

• No public API changes.
• Default behavior unchanged: the helper is silent unless CODEBURN_VERBOSE=1 or --verbose. Existing users see identical output.
• No new dependencies. Helper uses only fs, fs/promises, readline from Node's stdlib.
• Object.create(null) objects iterate via Object.entries / bracket access exactly like {} — downstream consumers in dashboard.tsx and menubar.ts need no changes.

Out of Scope

Tracked as separate follow-ups (not in this PR):

• Issue .claudeignore is not a claude feature #61 (.claudeignore references in optimize.ts) — shipping as its own small PR.
• Structural CI rule to prevent re-introducing the bracket-assign pattern in future providers — worth a small chore(ci) PR later.
• Streaming-aggregation for all-time reports (total-memory for hundreds of sessions, distinct from the per-file cap this PR adds) — performance, not security.

Commits

aaa5ca8 feat(cli): add --verbose flag for stderr warnings
b257690 fix(menubar): sanitize SwiftBar labels via allowlist
1709bc5 test(security): add failing test for MEDIUM-2 menubar injection
2968e08 fix(optimize): use bounded read helpers
fb07852 fix(context-budget): use bounded readSessionFile helper
a11f530 fix(pi): use bounded readSessionFile helper
a555325 fix(copilot): use bounded readSessionFile helper
9c3d565 fix(codex): use bounded readSessionFile helper
743b199 fix(parser): use bounded readSessionFile helper
79b80c6 feat(fs-utils): bounded session-file read helper
a48907f test(fs-utils): add failing test for bounded read helper
2b22e18 fix(parser): block prototype pollution via Object.create(null)
04d0ed2 test(security): add failing test for HIGH-1 prototype pollution

[AgentSeal]

Merged as part of 0.7.1. https://github.com/AgentSeal/codeburn/releases/tag/v0.7.1

Thanks @lfl1337, excellent work on the audit follow-through and the scope expansion to cover the v0.6.x and v0.7.0 read sites. The TDD commit structure was appreciated.