v0.1.2 — security release

Security release. Closes four findings from a third-party security scan against the repo. No public SDK signature changes; the CLI gains one new flag (bcli batch run --yes).

Security

• WorkOS localhost callback now binds a per-login high-entropy state token. Any unsolicited request reaching the loopback callback during the login window is rejected with 400 (state mismatch) or 404 (wrong path) instead of being exchanged for a role-bearing identity and persisted to disk. (vuln-0001, HIGH, CWE-352)
• bcli batch run now honours disable_writes. Mutating batch steps on a read-only profile prompt for confirmation interactively or abort with exit 1 in non-interactive sessions. New --yes / -y flag opts scripted use past the prompt. Pure GET batches and --dry-run are unaffected. (vuln-0002, MEDIUM, CWE-841)
• Browser auth callback listener now binds an ephemeral kernel-assigned port and serves continuously until a state-bound callback arrives or the timeout expires. Stray requests (/favicon.ico) and state-mismatched callbacks no longer consume the only callback slot. Microsoft Entra accepts any port for http://localhost redirect URIs on public clients per RFC 8252, so existing app registrations continue to work. (vuln-0003, MEDIUM)
• SafeContext writes are now bound to the explicit environment and company_id passed to client.safe_write(env, company), not the client's profile-bound target. Previously the safety gate validated operator intent but the underlying URL still resolved against the profile, so writes inside safe_write("Sandbox", "company-SANDBOX") could still hit Production/company-PROD. (vuln-0004, HIGH, CWE-841)

Upgrade notes

• CI scripts running mutating batches against a disable_writes profile now abort unless --yes is passed. Existing automation against writable profiles is unaffected.
• Browser auth no longer requires port 8400 to be free; existing Entra app registrations of http://localhost or http://localhost:8400 continue to work.