v1.8.0 — Security Hardening

Security Release

This release addresses 12 security findings from a comprehensive pre-launch audit.

Security Fixes

• Prompt injection mitigation — node names sanitized before MCP tool responses
• Path traversal protection — repo_root validated as a project directory
• VSCode RCE fix — cliPath locked to machine-level settings only
• XSS fix — visualization HTML escapes quotes and backticks
• SRI for CDN — D3.js loaded with integrity hash
• Secure nonces — crypto.randomBytes() replaces Math.random()
• Symlink protection — symlinks skipped in build and watch mode
• TOCTOU fix — file read once, hash and parse from same buffer

Reliability Fixes

• Thread-safe NetworkX cache with threading.Lock
• BFS capped at 500 nodes to prevent resource exhaustion
• SQL IN clause batched to respect SQLite parameter limits
• Dependency version upper bounds pinned

See CHANGELOG.md for full details.