@chahuadev/junk-sweeper-app 1.0.0 → 1.0.1

package/README.md

@@ -65,6 +65,24 @@ Worker Threads keep the UI responsive while scanning 1,000+ file projects.
 
 ---
 
+## 🔒 Security Guarantee
+
+Junk Sweeper is **read-only by design** — verified at the code level, not just by policy.
+
+| Guarantee | How It Works |
+|---|---|
+| **Never modifies user files** | All detectors use `fs.readFileSync()` only — no `writeFileSync()` anywhere near your code |
+| **Never touches the OS** | No registry writes, no admin privilege requests, no system calls outside the app's own data folder |
+| **Path Traversal Protection** | Every scan path is validated against `../` traversal, symlinks, and forbidden OS directories (`System32`, `/etc`, `/sys`, `/proc`) |
+| **Executable Injection Prevention** | Strict file-type whitelist — `.exe`, `.dll`, `.bat`, `.sh` and all binary formats are blocked before analysis |
+| **App Integrity on Every Launch** | SHA-256 checksums of `main.js`, `preload.js`, and all detectors are verified before the app starts — tampered builds are rejected |
+| **Sandboxed Renderer** | Electron runs with `contextIsolation: true`, `sandbox: true`, `nodeIntegration: false` — the UI has zero direct Node.js access |
+| **Audit Log** | Every file access and security event is logged to `~/.chahuadev/logs/` for full traceability |
+
+The only files the app ever writes are its **own** layout cache (`%APPDATA%\Junk Sweeper\layouts\`) and its own security audit log — nothing inside your project.
+
+---
+
 ## 📦 Platform Support
 
 | Platform | Architecture | Status |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chahuadev/junk-sweeper-app",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Chahuadev Junk Sweeper — AST-based dead code & silent bug detector with interactive architecture map",
   "main": "index.js",
   "bin": {