security: fix 5 findings from issue #42 — env leak, ant gate, depth DoS, URL parse, CA cert

Finding 1 [CRITICAL] — sessionRunner leaks full process.env to child
Extract buildChildEnv() with an explicit allowlist of safe OS/runtime vars.
Child process no longer inherits ANTHROPIC_API_KEY, OPENAI_API_KEY, DB
credentials, or any other secret present in the parent shell environment.
Only CLAUDE_CODE_* bridge vars, PATH, HOME, and standard OS env are passed.

Finding 2 [HIGH] — USER_TYPE=ant activatable by external users
Add isAntEmployee() -> false constant in src/utils/buildConfig.ts.
Replace all three direct process.env.USER_TYPE === 'ant' checks in
setup.ts and onChangeAppState.ts so no external user can activate
Anthropic-internal code paths (commit attribution, system prompt clearing,
dangerously-skip-permissions bypass) by setting USER_TYPE in their shell.

Finding 3 [HIGH] — memoryScan.ts unlimited directory walk
Add MAX_DEPTH=3 guard on readdir({ recursive: true }) results.
Deep or symlink-looped memory directories no longer cause an unbounded
blocking walk before the MAX_MEMORY_FILES cap takes effect.

Finding 5 [HIGH] — buildSdkUrl uses string.includes for protocol detection
Replace apiBaseUrl.includes('localhost') with new URL(apiBaseUrl).hostname
comparison so a remote URL containing 'localhost' in its path no longer
incorrectly gets ws:// (unencrypted) instead of wss://.

Finding 6 [HIGH] — upstream proxy writes unvalidated CA cert to disk
Add isValidPemContent() validation before writeFile in the CA cert download
path. A compromised proxy sending non-PEM data (HTML, JSON, scripts) is now
rejected before it can be appended to the system CA bundle.

Each fix is covered by new unit tests (25 tests across 5 new test files).
All 52 tests pass. Build verified clean on v0.1.7.

Fixes #42

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/utils/buildConfig.test.ts

@@ -0,0 +1,20 @@
+import { expect, test } from 'bun:test'
+import { isAntEmployee } from './buildConfig.ts'
+
+// Finding #42-2: process.env.USER_TYPE === 'ant' is checked directly in multiple
+// places, allowing any external user to activate Anthropic-internal code paths.
+// In OpenClaude, this must always be false regardless of env var.
+
+test('isAntEmployee always returns false in OpenClaude regardless of USER_TYPE env var', () => {
+  const original = process.env.USER_TYPE
+  process.env.USER_TYPE = 'ant'
+  expect(isAntEmployee()).toBe(false)
+  process.env.USER_TYPE = original
+})
+
+test('isAntEmployee returns false even when USER_TYPE is unset', () => {
+  const original = process.env.USER_TYPE
+  delete process.env.USER_TYPE
+  expect(isAntEmployee()).toBe(false)
+  process.env.USER_TYPE = original
+})

src/utils/buildConfig.ts

@@ -0,0 +1,18 @@
+/**
+ * OpenClaude build-time constants.
+ *
+ * These replace process.env checks that were only meaningful in Anthropic's
+ * internal build. In OpenClaude all such gates are permanently disabled so
+ * external users cannot activate internal code paths by setting env vars.
+ */
+
+/**
+ * Always false in OpenClaude.
+ * Replaces all `process.env.USER_TYPE === 'ant'` checks so that no external
+ * user can activate Anthropic-internal features (commit attribution hooks,
+ * system-prompt section clearing, dangerously-skip-permissions bypass, etc.)
+ * by setting USER_TYPE in their shell environment.
+ */
+export function isAntEmployee(): boolean {
+  return false
+}