v0.14.0 — gate injection hardening + hygiene

Hardening and simplification release. No new commands; existing behavior is unchanged except the inter-agent approval prompt is now injection-proof. Bundles the work from a focused optimization pass over the codebase.

Security

• gate.ts approval prompt is sanitized. The PreToolUse prompt for an inter-agent SendMessage interpolated the sender, recipient, and message body. A hostile teammate message could embed ANSI/control sequences to forge or obscure the line the user approves. Every interpolated field now passes through the shared sanitizer (control/ANSI stripped, names capped); the forged-newline and escape vectors are closed. Verified end-to-end.

Cleanups

• New src/sanitize.ts — displayText extracted into one presentation-security chokepoint used by status, compare, attribute, and gate; attribute/compare no longer pull it from the heavier status module.
• Fixed NUL bytes in attribute.ts (a NUL-delimited map key) — invisible and tool-breaking; replaced with a collision-proof JSON.stringify key. New source-hygiene test fails the build on any NUL/control byte in source.
• Centralized the run-total token SQL (RUN_TOTAL_TOKENS_SQL, was hand-written 10×) and collapsed the duplicated candidate/re-audit verdict path in select.ts into one helper — both behavior-preserving.
• Added parseAgentDefinition memory-scope-isolation tests (benchmarks never touch real agent-memory).

Verification

273 tests, green on Node 22 and 24. E2e edge-case sweep confirmed fail-open on the collect/gate hooks (empty, garbage, binary, missing-file inputs) and correct exit codes across every CLI.

Full changelog: v0.13.0...v0.14.0