shiva-code 0.5.0 → 0.5.1

package/dist/index.js

@@ -49,7 +49,7 @@ import {
   getPackageLaunchConfig,
   getPackageStats,
   removeProjectFromPackage
-} from "./chunk-5RCSFT5F.js";
+} from "./chunk-LBTCSQAX.js";
 import {
   encodeProjectPath,
   findProject,
@@ -67,8 +67,12 @@ import {
   isSessionActive,
   isSessionCorrupted,
   isSessionCorruptedQuick,
+  isValidProjectPath,
+  isValidSessionId,
+  maskSecret,
+  sanitizeForLog,
   saveRecoveredContext
-} from "./chunk-IDM6KY2R.js";
+} from "./chunk-H5OFO4VS.js";
 import {
   cache
 } from "./chunk-HIQO2DBA.js";
@@ -310,9 +314,9 @@ var ApiClient = class {
     return this.request("/projects/stats");
   }
   // Find project by path
-  async findProjectByPath(path15) {
+  async findProjectByPath(path16) {
     const projects = await this.getProjects();
-    return projects.find((p) => p.path === path15) || null;
+    return projects.find((p) => p.path === path16) || null;
   }
   // ============================================
   // Secrets Vault Endpoints
@@ -889,21 +893,21 @@ function generateBackupCodes(count = 10) {
   return codes;
 }
 function generateDeviceFingerprint() {
-  const os7 = __require("os");
+  const os8 = __require("os");
   const components = [
-    os7.hostname(),
-    os7.platform(),
-    os7.arch(),
-    os7.cpus()[0]?.model || "unknown",
-    os7.userInfo().username
+    os8.hostname(),
+    os8.platform(),
+    os8.arch(),
+    os8.cpus()[0]?.model || "unknown",
+    os8.userInfo().username
   ];
   const fingerprint = crypto.createHash("sha256").update(components.join("|")).digest("hex").slice(0, 32);
   return fingerprint;
 }
 function getDeviceName() {
-  const os7 = __require("os");
-  const hostname = os7.hostname();
-  const platform = os7.platform();
+  const os8 = __require("os");
+  const hostname = os8.hostname();
+  const platform = os8.platform();
   const platformNames = {
     darwin: "macOS",
     linux: "Linux",
@@ -2401,9 +2405,9 @@ var Errors = {
     "Bitte sp\xE4ter erneut versuchen"
   ),
   // File/Path errors
-  PATH_NOT_FOUND: (path15) => new ShivaError(
+  PATH_NOT_FOUND: (path16) => new ShivaError(
     "PATH_404",
-    path15 ? `Pfad nicht gefunden: ${path15}` : "Pfad nicht gefunden",
+    path16 ? `Pfad nicht gefunden: ${path16}` : "Pfad nicht gefunden",
     "Pfad \xFCberpr\xFCfen und erneut versuchen"
   ),
   FILE_NOT_FOUND: (file) => new ShivaError(
@@ -2411,9 +2415,9 @@ var Errors = {
     file ? `Datei nicht gefunden: ${file}` : "Datei nicht gefunden",
     void 0
   ),
-  PERMISSION_DENIED: (path15) => new ShivaError(
+  PERMISSION_DENIED: (path16) => new ShivaError(
     "PERMISSION_DENIED",
-    path15 ? `Keine Berechtigung: ${path15}` : "Keine Berechtigung",
+    path16 ? `Keine Berechtigung: ${path16}` : "Keine Berechtigung",
     "Berechtigungen pr\xFCfen oder mit sudo ausf\xFChren"
   ),
   // Package errors
@@ -4401,15 +4405,17 @@ projectCommand.command("status").description("Projekt-Status anzeigen").action(a
 // src/commands/session/start.ts
 import { Command as Command10 } from "commander";
 import * as fs from "fs";
-import * as path3 from "path";
+import * as path4 from "path";
 import ora6 from "ora";
 import { spawnSync as spawnSync4 } from "child_process";
 
 // src/services/infrastructure/terminal.ts
-import { spawn as spawn2, execSync as execSync2, spawnSync as spawnSync2 } from "child_process";
+import { spawn as spawn2, spawnSync as spawnSync2 } from "child_process";
+import * as path3 from "path";
+import * as os3 from "os";
 
 // src/services/infrastructure/docker.ts
-import { execSync, spawn } from "child_process";
+import { spawn, spawnSync } from "child_process";
 import * as path2 from "path";
 import * as os2 from "os";
 var DockerService = class {
@@ -4422,33 +4428,46 @@ var DockerService = class {
   }
   /**
    * Get Docker runtime information
+   * SECURITY: Uses spawnSync with array args
    */
   getDockerInfo() {
     if (this.cachedInfo) {
       return this.cachedInfo;
     }
     try {
-      const version = execSync("docker --version", { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
-      const socket = this.findDockerSocket("docker");
-      this.cachedInfo = {
-        available: true,
-        version: version.replace("Docker version ", "").split(",")[0],
-        runtime: "docker",
-        socket
-      };
-      return this.cachedInfo;
+      const result = spawnSync("docker", ["--version"], {
+        encoding: "utf8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      if (result.status === 0 && result.stdout) {
+        const version = result.stdout.trim();
+        const socket = this.findDockerSocket("docker");
+        this.cachedInfo = {
+          available: true,
+          version: version.replace("Docker version ", "").split(",")[0],
+          runtime: "docker",
+          socket
+        };
+        return this.cachedInfo;
+      }
     } catch {
     }
     try {
-      const version = execSync("podman --version", { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
-      const socket = this.findDockerSocket("podman");
-      this.cachedInfo = {
-        available: true,
-        version: version.replace("podman version ", ""),
-        runtime: "podman",
-        socket
-      };
-      return this.cachedInfo;
+      const result = spawnSync("podman", ["--version"], {
+        encoding: "utf8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      if (result.status === 0 && result.stdout) {
+        const version = result.stdout.trim();
+        const socket = this.findDockerSocket("podman");
+        this.cachedInfo = {
+          available: true,
+          version: version.replace("podman version ", ""),
+          runtime: "podman",
+          socket
+        };
+        return this.cachedInfo;
+      }
     } catch {
     }
     this.cachedInfo = {
@@ -4492,8 +4511,12 @@ var DockerService = class {
   // ============================================
   /**
    * Pull a Docker image
+   * SECURITY: Validates image name before use
    */
   async pullImage(image) {
+    if (!this.isValidImage(image)) {
+      throw new Error(`Invalid image name: ${sanitizeForLog(image)}`);
+    }
     const cmd = this.getCommand();
     return new Promise((resolve13, reject) => {
       const pull = spawn(cmd, ["pull", image], { stdio: "inherit" });
@@ -4501,7 +4524,7 @@ var DockerService = class {
         if (code === 0) {
           resolve13();
         } else {
-          reject(new Error(`Failed to pull image: ${image}`));
+          reject(new Error(`Failed to pull image: ${sanitizeForLog(image)}`));
         }
       });
       pull.on("error", (err) => {
@@ -4509,14 +4532,32 @@ var DockerService = class {
       });
     });
   }
+  /**
+   * Validate an image name
+   */
+  isValidImage(image) {
+    if (!image || typeof image !== "string") {
+      return false;
+    }
+    if (/[;&|`$(){}[\]<>\\!#*?"'\n\r\t]/.test(image)) {
+      return false;
+    }
+    return image.length > 0 && image.length <= 256;
+  }
   /**
    * Check if an image exists locally
+   * SECURITY: Uses spawnSync with array args
    */
   imageExists(image) {
+    if (!this.isValidImage(image)) {
+      return false;
+    }
     const cmd = this.getCommand();
     try {
-      execSync(`${cmd} image inspect ${image}`, { stdio: "ignore" });
-      return true;
+      const result = spawnSync(cmd, ["image", "inspect", image], {
+        stdio: "pipe"
+      });
+      return result.status === 0;
     } catch {
       return false;
     }
@@ -4530,14 +4571,23 @@ var DockerService = class {
   }
   /**
    * List local images
+   * SECURITY: Uses spawnSync with array args
    */
   listImages() {
     const cmd = this.getCommand();
     try {
-      const output = execSync(`${cmd} images --format "{{.Repository}}	{{.Tag}}	{{.ID}}	{{.Size}}"`, {
-        encoding: "utf8"
+      const result = spawnSync(cmd, [
+        "images",
+        "--format",
+        "{{.Repository}}	{{.Tag}}	{{.ID}}	{{.Size}}"
+      ], {
+        encoding: "utf8",
+        stdio: ["pipe", "pipe", "pipe"]
       });
-      return output.trim().split("\n").filter((line) => line.includes("shiva") || line.includes("claude")).map((line) => {
+      if (result.status !== 0 || !result.stdout) {
+        return [];
+      }
+      return result.stdout.trim().split("\n").filter((line) => line.includes("shiva") || line.includes("claude")).map((line) => {
         const [repository, tag, id, size] = line.split("	");
         return { repository, tag, id, size };
       });
@@ -4548,24 +4598,55 @@ var DockerService = class {
   // ============================================
   // Container Lifecycle
   // ============================================
+  /**
+   * Validate container ID format
+   */
+  isValidContainerId(id) {
+    return /^[a-f0-9]{12,64}$/i.test(id);
+  }
+  /**
+   * Validate container name
+   */
+  isValidContainerNameInternal(name) {
+    return /^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/.test(name) && name.length <= 128;
+  }
   /**
    * Create a new container
+   * SECURITY: Uses spawnSync with array args, validates all inputs
    */
   async createContainer(config2) {
     const cmd = this.getCommand();
     const args = ["create"];
     if (config2.name) {
+      if (!this.isValidContainerNameInternal(config2.name)) {
+        throw new Error(`Invalid container name: ${sanitizeForLog(config2.name)}`);
+      }
       args.push("--name", config2.name);
     }
+    if (!isValidProjectPath(config2.workdir)) {
+      throw new Error(`Invalid workdir: ${sanitizeForLog(config2.workdir)}`);
+    }
     args.push("--workdir", config2.workdir);
     for (const mount of config2.mounts) {
+      if (!isValidProjectPath(mount.host)) {
+        log.warn(`Skipping invalid mount path: ${sanitizeForLog(mount.host)}`);
+        continue;
+      }
       args.push("-v", `${mount.host}:${mount.container}:${mount.mode}`);
     }
     for (const [key, value] of Object.entries(config2.env)) {
+      if (!/^[A-Z_][A-Z0-9_]*$/i.test(key)) {
+        log.warn(`Skipping invalid env var name: ${sanitizeForLog(key)}`);
+        continue;
+      }
       args.push("-e", `${key}=${value}`);
     }
     if (config2.ports) {
       for (const [host, container] of Object.entries(config2.ports)) {
+        if (!/^\d+$/.test(String(host)) || !/^\d+$/.test(String(container))) {
+          log.warn(`Skipping invalid port mapping: ${host}:${container}`);
+          continue;
+        }
         args.push("-p", `${host}:${container}`);
       }
     }
@@ -4575,55 +4656,103 @@ var DockerService = class {
     if (config2.autoRemove) {
       args.push("--rm");
     }
+    if (!this.isValidImage(config2.image)) {
+      throw new Error(`Invalid image: ${sanitizeForLog(config2.image)}`);
+    }
     args.push(config2.image);
     try {
-      const containerId = execSync(`${cmd} ${args.join(" ")}`, { encoding: "utf8" }).trim();
-      return containerId;
+      const result = spawnSync(cmd, args, {
+        encoding: "utf8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      if (result.status !== 0) {
+        throw new Error(`Failed to create container: ${result.stderr || "Unknown error"}`);
+      }
+      return result.stdout.trim();
     } catch (error) {
       throw new Error(`Failed to create container: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
   /**
    * Start a container
+   * SECURITY: Validates container ID format
    */
   async startContainer(containerId) {
+    if (!this.isValidContainerId(containerId) && !this.isValidContainerNameInternal(containerId)) {
+      throw new Error(`Invalid container ID: ${sanitizeForLog(containerId)}`);
+    }
     const cmd = this.getCommand();
     try {
-      execSync(`${cmd} start ${containerId}`, { stdio: "ignore" });
+      const result = spawnSync(cmd, ["start", containerId], {
+        stdio: "pipe"
+      });
+      if (result.status !== 0) {
+        throw new Error(`Failed to start container`);
+      }
     } catch (error) {
       throw new Error(`Failed to start container: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
   /**
    * Stop a container
+   * SECURITY: Validates container ID format
    */
   async stopContainer(containerId) {
+    if (!this.isValidContainerId(containerId) && !this.isValidContainerNameInternal(containerId)) {
+      throw new Error(`Invalid container ID: ${sanitizeForLog(containerId)}`);
+    }
     const cmd = this.getCommand();
     try {
-      execSync(`${cmd} stop ${containerId}`, { stdio: "ignore" });
+      const result = spawnSync(cmd, ["stop", containerId], {
+        stdio: "pipe"
+      });
+      if (result.status !== 0) {
+        throw new Error(`Failed to stop container`);
+      }
     } catch (error) {
       throw new Error(`Failed to stop container: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
   /**
    * Remove a container
+   * SECURITY: Validates container ID format
    */
   async removeContainer(containerId) {
+    if (!this.isValidContainerId(containerId) && !this.isValidContainerNameInternal(containerId)) {
+      throw new Error(`Invalid container ID: ${sanitizeForLog(containerId)}`);
+    }
     const cmd = this.getCommand();
     try {
-      execSync(`${cmd} rm -f ${containerId}`, { stdio: "ignore" });
+      const result = spawnSync(cmd, ["rm", "-f", containerId], {
+        stdio: "pipe"
+      });
+      if (result.status !== 0) {
+        throw new Error(`Failed to remove container`);
+      }
     } catch (error) {
       throw new Error(`Failed to remove container: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
   /**
    * Get container logs
+   * SECURITY: Validates container ID, uses array args
    */
   getContainerLogs(containerId, tail) {
+    if (!this.isValidContainerId(containerId) && !this.isValidContainerNameInternal(containerId)) {
+      return "";
+    }
     const cmd = this.getCommand();
-    const tailArg = tail ? `--tail ${tail}` : "";
+    const args = ["logs"];
+    if (tail && tail > 0) {
+      args.push("--tail", String(tail));
+    }
+    args.push(containerId);
     try {
-      return execSync(`${cmd} logs ${tailArg} ${containerId}`, { encoding: "utf8" });
+      const result = spawnSync(cmd, args, {
+        encoding: "utf8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      return result.stdout || "";
     } catch {
       return "";
     }
@@ -4633,16 +4762,27 @@ var DockerService = class {
   // ============================================
   /**
    * Run Claude Code in a container
+   * SECURITY: Validates all inputs, uses spawn with array args
    */
   async runClaudeInContainer(launch, dockerSettings) {
+    if (!isValidProjectPath(launch.projectPath)) {
+      throw new Error(`Invalid project path: ${sanitizeForLog(launch.projectPath)}`);
+    }
+    if (launch.sessionId && !isValidSessionId(launch.sessionId)) {
+      throw new Error(`Invalid session ID: ${sanitizeForLog(launch.sessionId)}`);
+    }
     const cmd = this.getCommand();
     const settings = dockerSettings || settingsSync.getDockerSettings();
     const image = settings.defaultImage || this.getDefaultImage();
+    if (!this.isValidImage(image)) {
+      throw new Error(`Invalid image: ${sanitizeForLog(image)}`);
+    }
     if (!this.imageExists(image)) {
-      log.info(`Pulling Docker image: ${image}...`);
+      log.info(`Pulling Docker image: ${sanitizeForLog(image)}...`);
       await this.pullImage(image);
     }
-    const containerName = `shiva-${launch.projectName.replace(/[^a-zA-Z0-9-]/g, "-")}-${Date.now()}`;
+    const safeName = launch.projectName.replace(/[^a-zA-Z0-9-]/g, "-").substring(0, 50);
+    const containerName = `shiva-${safeName}-${Date.now()}`;
     const claudeArgs = [];
     if (launch.sessionId && !launch.newSession) {
       claudeArgs.push("--resume", launch.sessionId);
@@ -4671,13 +4811,19 @@ var DockerService = class {
       `${path2.join(os2.homedir(), ".config", "shiva-code")}:/root/.config/shiva-code:rw`
     ];
     for (const [host, container] of Object.entries(settings.volumeMounts || {})) {
-      args.push("-v", `${host}:${container}:rw`);
+      if (isValidProjectPath(host)) {
+        args.push("-v", `${host}:${container}:rw`);
+      }
     }
     for (const [key, value] of Object.entries(settings.environment || {})) {
-      args.push("-e", `${key}=${value}`);
+      if (/^[A-Z_][A-Z0-9_]*$/i.test(key)) {
+        args.push("-e", `${key}=${value}`);
+      }
     }
     for (const [key, value] of Object.entries(secrets)) {
-      args.push("-e", `${key}=${value}`);
+      if (/^[A-Z_][A-Z0-9_]*$/i.test(key)) {
+        args.push("-e", `${key}=${value}`);
+      }
     }
     args.push(image);
     args.push("claude", ...claudeArgs);
@@ -4695,15 +4841,26 @@ var DockerService = class {
   }
   /**
    * List all SHIVA containers
+   * SECURITY: Uses spawnSync with array args
    */
   listShivaContainers() {
     const cmd = this.getCommand();
     try {
-      const output = execSync(
-        `${cmd} ps -a --filter "name=shiva-" --format "{{.ID}}	{{.Names}}	{{.Image}}	{{.Status}}	{{.CreatedAt}}	{{.Ports}}"`,
-        { encoding: "utf8" }
-      );
-      return output.trim().split("\n").filter((line) => line.length > 0).map((line) => {
+      const result = spawnSync(cmd, [
+        "ps",
+        "-a",
+        "--filter",
+        "name=shiva-",
+        "--format",
+        "{{.ID}}	{{.Names}}	{{.Image}}	{{.Status}}	{{.CreatedAt}}	{{.Ports}}"
+      ], {
+        encoding: "utf8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      if (result.status !== 0 || !result.stdout) {
+        return [];
+      }
+      return result.stdout.trim().split("\n").filter((line) => line.length > 0).map((line) => {
         const [id, name, image, statusRaw, createdAt, ports] = line.split("	");
         let status = "stopped";
         if (statusRaw.toLowerCase().includes("up")) {
@@ -4799,12 +4956,18 @@ var DockerService = class {
    * Set default Docker image
    */
   setDefaultImage(image) {
+    if (!this.isValidImage(image)) {
+      throw new Error(`Invalid image name: ${sanitizeForLog(image)}`);
+    }
     settingsSync.setDockerImage(image);
   }
   /**
    * Add a volume mount
    */
   addVolumeMount(hostPath, containerPath) {
+    if (!isValidProjectPath(hostPath)) {
+      throw new Error(`Invalid host path: ${sanitizeForLog(hostPath)}`);
+    }
     const settings = settingsSync.getDockerSettings();
     settingsSync.setDockerSettings({
       volumeMounts: {
@@ -4827,6 +4990,9 @@ var DockerService = class {
    * Add an environment variable
    */
   addEnvVar(key, value) {
+    if (!/^[A-Z_][A-Z0-9_]*$/i.test(key)) {
+      throw new Error(`Invalid environment variable name: ${sanitizeForLog(key)}`);
+    }
     const settings = settingsSync.getDockerSettings();
     settingsSync.setDockerSettings({
       environment: {
@@ -4911,15 +5077,26 @@ var DockerService = class {
   }
   /**
    * Run Claude in container with project-specific settings
+   * SECURITY: Validates all inputs, uses spawn with array args
    */
   async runClaudeInContainerWithProjectConfig(launch, projectPath) {
+    if (!isValidProjectPath(launch.projectPath)) {
+      throw new Error(`Invalid project path: ${sanitizeForLog(launch.projectPath)}`);
+    }
+    if (launch.sessionId && !isValidSessionId(launch.sessionId)) {
+      throw new Error(`Invalid session ID: ${sanitizeForLog(launch.sessionId)}`);
+    }
     const effectiveConfig = this.getEffectiveDockerConfig(projectPath);
     const cmd = this.getCommand();
+    if (!this.isValidImage(effectiveConfig.image)) {
+      throw new Error(`Invalid image: ${sanitizeForLog(effectiveConfig.image)}`);
+    }
     if (!this.imageExists(effectiveConfig.image)) {
-      log.info(`Pulling Docker image: ${effectiveConfig.image}...`);
+      log.info(`Pulling Docker image: ${sanitizeForLog(effectiveConfig.image)}...`);
       await this.pullImage(effectiveConfig.image);
     }
-    const containerName = `shiva-${launch.projectName.replace(/[^a-zA-Z0-9-]/g, "-")}-${Date.now()}`;
+    const safeName = launch.projectName.replace(/[^a-zA-Z0-9-]/g, "-").substring(0, 50);
+    const containerName = `shiva-${safeName}-${Date.now()}`;
     const claudeArgs = [];
     if (launch.sessionId && !launch.newSession) {
       claudeArgs.push("--resume", launch.sessionId);
@@ -4943,26 +5120,34 @@ var DockerService = class {
     } else if (effectiveConfig.network === "host") {
       args.push("--network", "host");
     }
-    if (effectiveConfig.resources.cpuLimit) {
+    if (effectiveConfig.resources.cpuLimit && /^[\d.]+$/.test(effectiveConfig.resources.cpuLimit)) {
       args.push("--cpus", effectiveConfig.resources.cpuLimit);
     }
-    if (effectiveConfig.resources.memoryLimit) {
+    if (effectiveConfig.resources.memoryLimit && /^[\d]+[kmgKMG]?$/.test(effectiveConfig.resources.memoryLimit)) {
       args.push("--memory", effectiveConfig.resources.memoryLimit);
     }
     for (const opt of effectiveConfig.securityOpts) {
-      args.push("--security-opt", opt);
+      if (/^[a-z:=_-]+$/i.test(opt)) {
+        args.push("--security-opt", opt);
+      }
     }
     args.push("-v", `${launch.projectPath}:/workspace:rw`);
     args.push("-v", `${path2.join(os2.homedir(), ".claude")}:/root/.claude:rw`);
     args.push("-v", `${path2.join(os2.homedir(), ".config", "shiva-code")}:/root/.config/shiva-code:rw`);
     for (const mount of effectiveConfig.mounts) {
-      args.push("-v", `${mount.host}:${mount.container}:${mount.mode}`);
+      if (isValidProjectPath(mount.host)) {
+        args.push("-v", `${mount.host}:${mount.container}:${mount.mode}`);
+      }
     }
     for (const [key, value] of Object.entries(effectiveConfig.environment)) {
-      args.push("-e", `${key}=${value}`);
+      if (/^[A-Z_][A-Z0-9_]*$/i.test(key)) {
+        args.push("-e", `${key}=${value}`);
+      }
     }
     for (const [key, value] of Object.entries(secrets)) {
-      args.push("-e", `${key}=${value}`);
+      if (/^[A-Z_][A-Z0-9_]*$/i.test(key)) {
+        args.push("-e", `${key}=${value}`);
+      }
     }
     args.push(effectiveConfig.image);
     args.push("claude", ...claudeArgs);
@@ -4977,8 +5162,11 @@ var dockerService = new DockerService();
 // src/services/infrastructure/terminal.ts
 function commandExists(command) {
   try {
-    execSync2(`which ${command}`, { stdio: "ignore" });
-    return true;
+    if (!/^[a-zA-Z0-9_-]+$/.test(command)) {
+      return false;
+    }
+    const result = spawnSync2("which", [command], { stdio: "pipe" });
+    return result.status === 0;
   } catch {
     return false;
   }
@@ -5016,90 +5204,93 @@ function isValidTerminalType(value) {
 function isInsideTmux() {
   return !!process.env.TMUX;
 }
-function buildClaudeCommand(project) {
-  const cdCommand = `cd "${project.projectPath}"`;
-  const launchArgs = getClaudeLaunchArgs();
-  const argsStr = launchArgs.length > 0 ? ` ${launchArgs.join(" ")}` : "";
-  if (project.newSession || !project.sessionId) {
-    return `${cdCommand} && claude${argsStr}`;
+function validateProject(project) {
+  if (!isValidProjectPath(project.projectPath)) {
+    return {
+      valid: false,
+      error: `Invalid project path: ${sanitizeForLog(project.projectPath)}`
+    };
   }
-  return `${cdCommand} && claude --resume ${project.sessionId}${argsStr}`;
+  if (project.sessionId && !isValidSessionId(project.sessionId)) {
+    return {
+      valid: false,
+      error: `Invalid session ID format: ${sanitizeForLog(project.sessionId)}`
+    };
+  }
+  return { valid: true };
+}
+function buildClaudeArgs(project) {
+  const args = [];
+  if (!project.newSession && project.sessionId) {
+    args.push("--resume", project.sessionId);
+  }
+  const launchArgs = getClaudeLaunchArgs();
+  args.push(...launchArgs);
+  return args;
+}
+function sanitizeProjectName(name) {
+  return name.replace(/[^a-zA-Z0-9_.-]/g, "-").substring(0, 50);
 }
 async function spawnInTmux(projects, sessionName) {
   const tmuxSession = sessionName || `shiva-${Date.now()}`;
   const insideTmux = isInsideTmux();
-  if (insideTmux) {
-    for (let i = 0; i < projects.length; i++) {
-      const project = projects[i];
-      const command = buildClaudeCommand(project);
+  for (let i = 0; i < projects.length; i++) {
+    const project = projects[i];
+    const validation = validateProject(project);
+    if (!validation.valid) {
+      console.error(`Skipping invalid project: ${validation.error}`);
+      continue;
+    }
+    const claudeArgs = buildClaudeArgs(project);
+    const safeName = sanitizeProjectName(project.projectName);
+    if (insideTmux) {
+      spawnSync2("tmux", [
+        "new-window",
+        "-n",
+        safeName,
+        "-c",
+        project.projectPath
+      ], { stdio: "inherit" });
+      const claudeCmd = ["claude", ...claudeArgs].join(" ");
+      spawnSync2("tmux", [
+        "send-keys",
+        claudeCmd,
+        "Enter"
+      ], { stdio: "inherit" });
+    } else {
       if (i === 0) {
         spawnSync2("tmux", [
-          "new-window",
+          "new-session",
+          "-d",
+          "-s",
+          tmuxSession,
           "-n",
-          project.projectName,
+          safeName,
           "-c",
           project.projectPath
         ], { stdio: "inherit" });
-        spawnSync2("tmux", [
-          "send-keys",
-          command,
-          "Enter"
-        ], { stdio: "inherit" });
       } else {
         spawnSync2("tmux", [
           "new-window",
+          "-t",
+          tmuxSession,
           "-n",
-          project.projectName,
+          safeName,
           "-c",
           project.projectPath
         ], { stdio: "inherit" });
-        spawnSync2("tmux", [
-          "send-keys",
-          command,
-          "Enter"
-        ], { stdio: "inherit" });
       }
-    }
-  } else {
-    const firstProject = projects[0];
-    const firstCommand = buildClaudeCommand(firstProject);
-    spawnSync2("tmux", [
-      "new-session",
-      "-d",
-      "-s",
-      tmuxSession,
-      "-n",
-      firstProject.projectName,
-      "-c",
-      firstProject.projectPath
-    ], { stdio: "inherit" });
-    spawnSync2("tmux", [
-      "send-keys",
-      "-t",
-      `${tmuxSession}:${firstProject.projectName}`,
-      firstCommand,
-      "Enter"
-    ], { stdio: "inherit" });
-    for (let i = 1; i < projects.length; i++) {
-      const project = projects[i];
-      const command = buildClaudeCommand(project);
-      spawnSync2("tmux", [
-        "new-window",
-        "-t",
-        tmuxSession,
-        "-n",
-        project.projectName,
-        "-c",
-        project.projectPath
-      ], { stdio: "inherit" });
+      const claudeCmd = ["claude", ...claudeArgs].join(" ");
       spawnSync2("tmux", [
         "send-keys",
         "-t",
-        `${tmuxSession}:${project.projectName}`,
-        command,
+        `${tmuxSession}:${safeName}`,
+        claudeCmd,
         "Enter"
       ], { stdio: "inherit" });
     }
+  }
+  if (!insideTmux) {
     spawn2("tmux", ["attach-session", "-t", tmuxSession], {
       stdio: "inherit"
     });
@@ -5107,81 +5298,102 @@ async function spawnInTmux(projects, sessionName) {
 }
 async function spawnInGnomeTerminal(projects) {
   const args = [];
-  for (let i = 0; i < projects.length; i++) {
-    const project = projects[i];
-    const command = buildClaudeCommand(project);
-    if (i === 0) {
-      args.push("--tab", "--title", project.projectName, "--", "bash", "-c", `${command}; exec bash`);
-    } else {
-      args.push("--tab", "--title", project.projectName, "--", "bash", "-c", `${command}; exec bash`);
+  for (const project of projects) {
+    const validation = validateProject(project);
+    if (!validation.valid) {
+      console.error(`Skipping invalid project: ${validation.error}`);
+      continue;
     }
+    const claudeArgs = buildClaudeArgs(project);
+    const safeName = sanitizeProjectName(project.projectName);
+    const wrapperScript = `cd ${escapeShellArg(project.projectPath)} && exec claude ${claudeArgs.map(escapeShellArg).join(" ")}`;
+    args.push(
+      "--tab",
+      "--title",
+      safeName,
+      "--",
+      "bash",
+      "-c",
+      wrapperScript
+    );
+  }
+  if (args.length > 0) {
+    spawn2("gnome-terminal", args, {
+      stdio: "ignore",
+      detached: true
+    }).unref();
   }
-  spawn2("gnome-terminal", args, {
-    stdio: "ignore",
-    detached: true
-  }).unref();
 }
 async function spawnInKitty(projects) {
-  if (process.env.KITTY_WINDOW_ID) {
-    for (const project of projects) {
-      const command = buildClaudeCommand(project);
+  const isInsideKitty = !!process.env.KITTY_WINDOW_ID;
+  for (let i = 0; i < projects.length; i++) {
+    const project = projects[i];
+    const validation = validateProject(project);
+    if (!validation.valid) {
+      console.error(`Skipping invalid project: ${validation.error}`);
+      continue;
+    }
+    const claudeArgs = buildClaudeArgs(project);
+    const safeName = sanitizeProjectName(project.projectName);
+    if (isInsideKitty) {
       spawn2("kitten", [
         "@",
         "launch",
         "--type=tab",
         "--tab-title",
-        project.projectName,
+        safeName,
         "--cwd",
         project.projectPath,
-        "bash",
-        "-c",
-        command
+        "claude",
+        ...claudeArgs
       ], { stdio: "inherit" });
+    } else {
+      if (i === 0) {
+        const kittyArgs = [
+          "--title",
+          safeName,
+          "--directory",
+          project.projectPath,
+          "claude",
+          ...claudeArgs
+        ];
+        spawn2("kitty", kittyArgs, {
+          stdio: "ignore",
+          detached: true
+        }).unref();
+      } else {
+        spawn2("kitty", [
+          "--title",
+          safeName,
+          "--directory",
+          project.projectPath,
+          "claude",
+          ...claudeArgs
+        ], {
+          stdio: "ignore",
+          detached: true
+        }).unref();
+      }
     }
-  } else {
-    const firstProject = projects[0];
-    const firstCommand = buildClaudeCommand(firstProject);
-    const args = [
-      "--title",
-      firstProject.projectName,
-      "--directory",
-      firstProject.projectPath,
-      "bash",
-      "-c",
-      firstCommand
-    ];
-    for (let i = 1; i < projects.length; i++) {
-      const project = projects[i];
-      const command = buildClaudeCommand(project);
-      args.push(
-        "--new-tab",
-        "--title",
-        project.projectName,
-        "--directory",
-        project.projectPath,
-        "bash",
-        "-c",
-        command
-      );
-    }
-    spawn2("kitty", args, {
-      stdio: "ignore",
-      detached: true
-    }).unref();
   }
 }
 async function spawnInAlacritty(projects) {
   for (const project of projects) {
-    const command = buildClaudeCommand(project);
+    const validation = validateProject(project);
+    if (!validation.valid) {
+      console.error(`Skipping invalid project: ${validation.error}`);
+      continue;
+    }
+    const claudeArgs = buildClaudeArgs(project);
+    const safeName = sanitizeProjectName(project.projectName);
     spawn2("alacritty", [
       "--title",
-      project.projectName,
+      safeName,
       "--working-directory",
       project.projectPath,
       "-e",
-      "bash",
-      "-c",
-      command
+      "claude",
+      ...claudeArgs
     ], {
       stdio: "ignore",
       detached: true
@@ -5190,15 +5402,20 @@ async function spawnInAlacritty(projects) {
 }
 async function spawnSequential(projects) {
   const project = projects[0];
-  const command = buildClaudeCommand(project);
-  console.log(`Starting: ${project.projectName}`);
-  console.log(`Path: ${project.projectPath}`);
+  const validation = validateProject(project);
+  if (!validation.valid) {
+    console.error(`Cannot start: ${validation.error}`);
+    return;
+  }
+  console.log(`Starting: ${sanitizeForLog(project.projectName)}`);
+  console.log(`Path: ${sanitizeForLog(project.projectPath)}`);
   if (projects.length > 1) {
     console.log(`
 Note: ${projects.length - 1} additional projects cannot be started in parallel.`);
     console.log("Install tmux for multi-project support: sudo apt install tmux");
   }
-  spawn2("bash", ["-c", command], {
+  const claudeArgs = buildClaudeArgs(project);
+  spawn2("claude", claudeArgs, {
     stdio: "inherit",
     cwd: project.projectPath
   });
@@ -5211,27 +5428,38 @@ async function spawnInDocker(projects) {
   }
   if (projects.length === 1) {
     const project = projects[0];
-    console.log(`Starting in Docker: ${project.projectName}`);
-    console.log(`Path: ${project.projectPath}`);
-    console.log(`Image: ${dockerSettings.defaultImage}`);
+    const validation = validateProject(project);
+    if (!validation.valid) {
+      console.error(`Cannot start: ${validation.error}`);
+      return;
+    }
+    console.log(`Starting in Docker: ${sanitizeForLog(project.projectName)}`);
+    console.log(`Path: ${sanitizeForLog(project.projectPath)}`);
+    console.log(`Image: ${sanitizeForLog(dockerSettings.defaultImage)}`);
     await dockerService.runClaudeInContainer(project, dockerSettings);
     return;
   }
   if (isInsideTmux()) {
     for (let i = 0; i < projects.length; i++) {
       const project = projects[i];
+      const validation = validateProject(project);
+      if (!validation.valid) {
+        console.error(`Skipping invalid project: ${validation.error}`);
+        continue;
+      }
       if (i === 0) {
-        console.log(`Starting in Docker: ${project.projectName}`);
+        console.log(`Starting in Docker: ${sanitizeForLog(project.projectName)}`);
         await dockerService.runClaudeInContainer(project, dockerSettings);
       } else {
-        const containerName = `shiva-${project.projectName.replace(/[^a-zA-Z0-9-]/g, "-")}-${Date.now()}`;
-        const cmd = dockerService.getDockerInfo().runtime === "podman" ? "podman" : "docker";
+        const safeName = sanitizeProjectName(project.projectName);
+        const containerName = `shiva-${safeName}-${Date.now()}`;
         spawnSync2("tmux", [
           "new-window",
           "-n",
-          project.projectName
+          safeName
         ], { stdio: "inherit" });
-        const dockerCmd = buildDockerCommand(project, dockerSettings, containerName);
+        const dockerArgs = buildSecureDockerArgs(project, dockerSettings, containerName);
+        const dockerCmd = dockerArgs.join(" ");
         spawnSync2("tmux", [
           "send-keys",
           dockerCmd,
@@ -5242,37 +5470,59 @@ async function spawnInDocker(projects) {
   } else {
     console.log(`Starting ${projects.length} projects in Docker containers...`);
     for (const project of projects) {
-      console.log(`  - ${project.projectName}`);
+      const validation2 = validateProject(project);
+      if (validation2.valid) {
+        console.log(`  - ${sanitizeForLog(project.projectName)}`);
+      }
     }
     const firstProject = projects[0];
-    console.log(`
-Attaching to: ${firstProject.projectName}`);
-    for (let i = 1; i < projects.length; i++) {
-      const project = projects[i];
-      console.log(`Background container started for: ${project.projectName}`);
+    const validation = validateProject(firstProject);
+    if (!validation.valid) {
+      console.error(`Cannot start: ${validation.error}`);
+      return;
     }
+    console.log(`
+Attaching to: ${sanitizeForLog(firstProject.projectName)}`);
     await dockerService.runClaudeInContainer(firstProject, dockerSettings);
   }
 }
-function buildDockerCommand(project, settings, containerName) {
+function buildSecureDockerArgs(project, settings, containerName) {
   const cmd = dockerService.getDockerInfo().runtime === "podman" ? "podman" : "docker";
-  const os7 = __require("os");
-  const path15 = __require("path");
-  let dockerCmd = `${cmd} run -it --rm --name ${containerName} --workdir /workspace`;
-  dockerCmd += ` -v "${project.projectPath}:/workspace:rw"`;
-  dockerCmd += ` -v "${path15.join(os7.homedir(), ".claude")}:/root/.claude:rw"`;
-  dockerCmd += ` -v "${path15.join(os7.homedir(), ".config", "shiva-code")}:/root/.config/shiva-code:rw"`;
-  for (const [host, container] of Object.entries(settings.volumeMounts || {})) {
-    dockerCmd += ` -v "${host}:${container}:rw"`;
+  const homeDir = os3.homedir();
+  const args = [
+    cmd,
+    "run",
+    "-it",
+    "--rm",
+    "--name",
+    containerName,
+    "--workdir",
+    "/workspace",
+    "-v",
+    `${project.projectPath}:/workspace:rw`,
+    "-v",
+    `${path3.join(homeDir, ".claude")}:/root/.claude:rw`,
+    "-v",
+    `${path3.join(homeDir, ".config", "shiva-code")}:/root/.config/shiva-code:rw`
+  ];
+  for (const [hostPath, containerPath] of Object.entries(settings.volumeMounts || {})) {
+    if (isValidProjectPath(hostPath)) {
+      args.push("-v", `${hostPath}:${containerPath}:rw`);
+    }
   }
   for (const [key, value] of Object.entries(settings.environment || {})) {
-    dockerCmd += ` -e "${key}=${value}"`;
+    if (/^[A-Z_][A-Z0-9_]*$/.test(key)) {
+      args.push("-e", `${key}=${value}`);
+    }
   }
-  dockerCmd += ` ${settings.defaultImage} claude`;
+  args.push(settings.defaultImage, "claude");
   if (project.sessionId && !project.newSession) {
-    dockerCmd += ` --resume ${project.sessionId}`;
+    args.push("--resume", project.sessionId);
   }
-  return dockerCmd;
+  return args;
+}
+function escapeShellArg(arg) {
+  return `'${arg.replace(/'/g, "'\\''")}'`;
 }
 async function spawnProjects(projects, terminal) {
   if (projects.length === 0) {
@@ -5320,9 +5570,9 @@ function getTerminalName(terminal) {
 }
 
 // src/services/sandbox/sandbox.ts
-import { execSync as execSync3 } from "child_process";
+import { execSync } from "child_process";
 import { existsSync as existsSync6, mkdirSync, rmSync, readdirSync as readdirSync2, copyFileSync, readFileSync as readFileSync2 } from "fs";
-import { join as join3, dirname } from "path";
+import { join as join4, dirname } from "path";
 import { randomUUID } from "crypto";
 import Conf3 from "conf";
 var DEFAULT_SANDBOX_CONFIG = {
@@ -5361,10 +5611,10 @@ var SandboxService = class {
   /**
    * Check if a path is a git repository
    */
-  isGitRepo(path15) {
+  isGitRepo(path16) {
     try {
-      execSync3("git rev-parse --git-dir", {
-        cwd: path15,
+      execSync("git rev-parse --git-dir", {
+        cwd: path16,
         stdio: "pipe"
       });
       return true;
@@ -5377,11 +5627,11 @@ var SandboxService = class {
    */
   isDockerAvailable() {
     try {
-      execSync3("docker info", { stdio: "pipe" });
+      execSync("docker info", { stdio: "pipe" });
       return true;
     } catch {
       try {
-        execSync3("podman info", { stdio: "pipe" });
+        execSync("podman info", { stdio: "pipe" });
         return true;
       } catch {
         return false;
@@ -5404,7 +5654,7 @@ var SandboxService = class {
    * Get the .shiva/sandbox directory path
    */
   getSandboxDir(projectPath) {
-    return join3(projectPath, ".shiva", "sandbox");
+    return join4(projectPath, ".shiva", "sandbox");
   }
   /**
    * Generate a unique session ID
@@ -5466,13 +5716,13 @@ var SandboxService = class {
    */
   async createWorktreeSandbox(projectPath, sessionId) {
     const sandboxDir = this.getSandboxDir(projectPath);
-    const sandboxPath = join3(sandboxDir, `session-${sessionId}`);
+    const sandboxPath = join4(sandboxDir, `session-${sessionId}`);
     mkdirSync(dirname(sandboxPath), { recursive: true });
-    const currentRef = execSync3("git rev-parse HEAD", {
+    const currentRef = execSync("git rev-parse HEAD", {
       cwd: projectPath,
       encoding: "utf-8"
     }).trim();
-    execSync3(`git worktree add --detach "${sandboxPath}" ${currentRef}`, {
+    execSync(`git worktree add --detach "${sandboxPath}" ${currentRef}`, {
       cwd: projectPath,
       stdio: "pipe"
     });
@@ -5484,14 +5734,14 @@ var SandboxService = class {
    */
   async copyUntrackedFiles(projectPath, sandboxPath) {
     try {
-      const untrackedOutput = execSync3("git ls-files --others --exclude-standard", {
+      const untrackedOutput = execSync("git ls-files --others --exclude-standard", {
         cwd: projectPath,
         encoding: "utf-8"
       });
       const untrackedFiles = untrackedOutput.split("\n").filter((f) => f.trim().length > 0);
       for (const file of untrackedFiles) {
-        const srcPath = join3(projectPath, file);
-        const destPath = join3(sandboxPath, file);
+        const srcPath = join4(projectPath, file);
+        const destPath = join4(sandboxPath, file);
         if (!existsSync6(srcPath)) continue;
         const config2 = this.getConfig();
         if (config2.excludePaths.some((excluded) => file.startsWith(excluded))) {
@@ -5511,7 +5761,7 @@ var SandboxService = class {
    */
   async createCopySandbox(projectPath, sessionId, excludePaths) {
     const sandboxDir = this.getSandboxDir(projectPath);
-    const sandboxPath = join3(sandboxDir, `session-${sessionId}`);
+    const sandboxPath = join4(sandboxDir, `session-${sessionId}`);
     mkdirSync(sandboxPath, { recursive: true });
     this.copyDirectory(projectPath, sandboxPath, excludePaths);
     return sandboxPath;
@@ -5522,8 +5772,8 @@ var SandboxService = class {
   copyDirectory(src, dest, excludePaths) {
     const entries = readdirSync2(src, { withFileTypes: true });
     for (const entry of entries) {
-      const srcPath = join3(src, entry.name);
-      const destPath = join3(dest, entry.name);
+      const srcPath = join4(src, entry.name);
+      const destPath = join4(dest, entry.name);
       if (excludePaths.includes(entry.name)) {
         continue;
       }
@@ -5543,9 +5793,9 @@ var SandboxService = class {
    */
   async createDockerOverlaySandbox(projectPath, sessionId) {
     const sandboxDir = this.getSandboxDir(projectPath);
-    const sandboxPath = join3(sandboxDir, `session-${sessionId}`);
-    const upperDir = join3(sandboxDir, `upper-${sessionId}`);
-    const workDir = join3(sandboxDir, `work-${sessionId}`);
+    const sandboxPath = join4(sandboxDir, `session-${sessionId}`);
+    const upperDir = join4(sandboxDir, `upper-${sessionId}`);
+    const workDir = join4(sandboxDir, `work-${sessionId}`);
     mkdirSync(sandboxPath, { recursive: true });
     mkdirSync(upperDir, { recursive: true });
     mkdirSync(workDir, { recursive: true });
@@ -5612,7 +5862,7 @@ var SandboxService = class {
     }
     if (session.mode === "worktree") {
       try {
-        execSync3(`git worktree remove "${session.sandboxPath}" --force`, {
+        execSync(`git worktree remove "${session.sandboxPath}" --force`, {
           cwd: session.projectPath,
           stdio: "pipe"
         });
@@ -5621,7 +5871,7 @@ var SandboxService = class {
           rmSync(session.sandboxPath, { recursive: true, force: true });
         }
         try {
-          execSync3("git worktree prune", {
+          execSync("git worktree prune", {
             cwd: session.projectPath,
             stdio: "pipe"
           });
@@ -5650,11 +5900,11 @@ var SandboxService = class {
     }
     const changes = [];
     if (session.mode === "worktree") {
-      const diffOutput = execSync3("git diff --stat --numstat HEAD", {
+      const diffOutput = execSync("git diff --stat --numstat HEAD", {
         cwd: session.sandboxPath,
         encoding: "utf-8"
       });
-      const untrackedOutput = execSync3("git ls-files --others --exclude-standard", {
+      const untrackedOutput = execSync("git ls-files --others --exclude-standard", {
         cwd: session.sandboxPath,
         encoding: "utf-8"
       });
@@ -5673,7 +5923,7 @@ var SandboxService = class {
       }
       const untrackedFiles = untrackedOutput.split("\n").filter((f) => f.trim().length > 0);
       for (const file of untrackedFiles) {
-        const filePath = join3(session.sandboxPath, file);
+        const filePath = join4(session.sandboxPath, file);
         if (existsSync6(filePath)) {
           const content = readFileSync2(filePath, "utf-8");
           const lineCount = content.split("\n").length;
@@ -5708,7 +5958,7 @@ var SandboxService = class {
   async compareDirectories(originalPath, sandboxPath, relativePath, changes) {
     const config2 = this.getConfig();
     const sandboxEntries = /* @__PURE__ */ new Set();
-    const sandboxFullPath = join3(sandboxPath, relativePath);
+    const sandboxFullPath = join4(sandboxPath, relativePath);
     if (existsSync6(sandboxFullPath)) {
       const entries = readdirSync2(sandboxFullPath, { withFileTypes: true });
       for (const entry of entries) {
@@ -5716,9 +5966,9 @@ var SandboxService = class {
           continue;
         }
         sandboxEntries.add(entry.name);
-        const entryRelPath = relativePath ? join3(relativePath, entry.name) : entry.name;
-        const originalEntryPath = join3(originalPath, entryRelPath);
-        const sandboxEntryPath = join3(sandboxPath, entryRelPath);
+        const entryRelPath = relativePath ? join4(relativePath, entry.name) : entry.name;
+        const originalEntryPath = join4(originalPath, entryRelPath);
+        const sandboxEntryPath = join4(sandboxPath, entryRelPath);
         if (entry.isDirectory()) {
           if (!existsSync6(originalEntryPath)) {
             await this.countNewDirectoryChanges(sandboxEntryPath, entryRelPath, changes);
@@ -5752,7 +6002,7 @@ var SandboxService = class {
         }
       }
     }
-    const originalFullPath = join3(originalPath, relativePath);
+    const originalFullPath = join4(originalPath, relativePath);
     if (existsSync6(originalFullPath)) {
       const entries = readdirSync2(originalFullPath, { withFileTypes: true });
       for (const entry of entries) {
@@ -5760,8 +6010,8 @@ var SandboxService = class {
           continue;
         }
         if (!sandboxEntries.has(entry.name)) {
-          const entryRelPath = relativePath ? join3(relativePath, entry.name) : entry.name;
-          const originalEntryPath = join3(originalPath, entryRelPath);
+          const entryRelPath = relativePath ? join4(relativePath, entry.name) : entry.name;
+          const originalEntryPath = join4(originalPath, entryRelPath);
           if (entry.isDirectory()) {
             await this.countDeletedDirectoryChanges(originalEntryPath, entryRelPath, changes);
           } else {
@@ -5804,8 +6054,8 @@ var SandboxService = class {
     const config2 = this.getConfig();
     for (const entry of entries) {
       if (config2.excludePaths.includes(entry.name)) continue;
-      const entryRelPath = join3(relativePath, entry.name);
-      const entryPath = join3(dirPath, entry.name);
+      const entryRelPath = join4(relativePath, entry.name);
+      const entryPath = join4(dirPath, entry.name);
       if (entry.isDirectory()) {
         await this.countNewDirectoryChanges(entryPath, entryRelPath, changes);
       } else {
@@ -5828,8 +6078,8 @@ var SandboxService = class {
     const config2 = this.getConfig();
     for (const entry of entries) {
       if (config2.excludePaths.includes(entry.name)) continue;
-      const entryRelPath = join3(relativePath, entry.name);
-      const entryPath = join3(dirPath, entry.name);
+      const entryRelPath = join4(relativePath, entry.name);
+      const entryPath = join4(dirPath, entry.name);
       if (entry.isDirectory()) {
         await this.countDeletedDirectoryChanges(entryPath, entryRelPath, changes);
       } else {
@@ -5854,13 +6104,13 @@ var SandboxService = class {
     }
     if (session.mode === "worktree") {
       try {
-        const diff = execSync3(`git diff HEAD -- "${filePath}"`, {
+        const diff = execSync(`git diff HEAD -- "${filePath}"`, {
           cwd: session.sandboxPath,
           encoding: "utf-8"
         });
         return diff || "(no changes)";
       } catch {
-        const sandboxFilePath2 = join3(session.sandboxPath, filePath);
+        const sandboxFilePath2 = join4(session.sandboxPath, filePath);
         if (existsSync6(sandboxFilePath2)) {
           const content = readFileSync2(sandboxFilePath2, "utf-8");
           return `+++ ${filePath} (new file)
@@ -5869,8 +6119,8 @@ ${content.split("\n").map((l) => `+ ${l}`).join("\n")}`;
         return "(file not found)";
       }
     }
-    const originalPath = join3(session.projectPath, filePath);
-    const sandboxFilePath = join3(session.sandboxPath, filePath);
+    const originalPath = join4(session.projectPath, filePath);
+    const sandboxFilePath = join4(session.sandboxPath, filePath);
     const originalExists = existsSync6(originalPath);
     const sandboxExists = existsSync6(sandboxFilePath);
     if (!originalExists && sandboxExists) {
@@ -5928,8 +6178,8 @@ ${content.split("\n").map((l) => `- ${l}`).join("\n")}`;
     for (const filePath of pathsToApply) {
       const change = diff.changes.find((c) => c.path === filePath);
       if (!change) continue;
-      const srcPath = join3(session.sandboxPath, filePath);
-      const destPath = join3(session.projectPath, filePath);
+      const srcPath = join4(session.sandboxPath, filePath);
+      const destPath = join4(session.projectPath, filePath);
       if (change.type === "deleted") {
         if (existsSync6(destPath)) {
           rmSync(destPath, { force: true });
@@ -5966,8 +6216,8 @@ ${content.split("\n").map((l) => `- ${l}`).join("\n")}`;
       throw new Error(`Sandbox ${sessionId} not found`);
     }
     for (const filePath of filePaths) {
-      const sandboxFilePath = join3(session.sandboxPath, filePath);
-      const originalPath = join3(session.projectPath, filePath);
+      const sandboxFilePath = join4(session.sandboxPath, filePath);
+      const originalPath = join4(session.projectPath, filePath);
       if (existsSync6(originalPath)) {
         copyFileSync(originalPath, sandboxFilePath);
       } else {
@@ -6064,7 +6314,7 @@ var startCommand = new Command10("start").description("Projekte starten (mit Git
     const allProjects = await getAllClaudeProjects();
     const launches = [];
     for (const projektArg of projekte) {
-      const absolutePath = path3.resolve(projektArg);
+      const absolutePath = path4.resolve(projektArg);
       if (fs.existsSync(absolutePath) && fs.statSync(absolutePath).isDirectory()) {
         const project = findProjectFromArray(allProjects, absolutePath);
         const latestSession = project?.latestSession;
@@ -6814,10 +7064,10 @@ import ora9 from "ora";
 
 // src/services/data/tags.ts
 import * as fs4 from "fs";
-import * as path4 from "path";
-import * as os3 from "os";
+import * as path5 from "path";
+import * as os4 from "os";
 function getTagsPath() {
-  return path4.join(os3.homedir(), ".shiva", "tags.json");
+  return path5.join(os4.homedir(), ".shiva", "tags.json");
 }
 function loadTagsData() {
   const filepath = getTagsPath();
@@ -6833,7 +7083,7 @@ function loadTagsData() {
 }
 function saveTagsData(data) {
   const filepath = getTagsPath();
-  const dir = path4.dirname(filepath);
+  const dir = path5.dirname(filepath);
   if (!fs4.existsSync(dir)) {
     fs4.mkdirSync(dir, { recursive: true });
   }
@@ -7085,10 +7335,10 @@ var sessionsCommand = new Command13("sessions").description("Alle Claude Code Se
   log.dim(`Total: ${stats.activeProjects} Projekte, ${stats.totalSessions} Sessions`);
   log.newline();
 }));
-async function checkProjectExists(path15) {
+async function checkProjectExists(path16) {
   try {
     const fs15 = await import("fs");
-    return fs15.existsSync(path15);
+    return fs15.existsSync(path16);
   } catch {
     return false;
   }
@@ -7349,10 +7599,10 @@ sessionCommand.command("apply").description("Sandbox-\xC4nderungen \xFCbernehmen
     log.header("Folgende \xC4nderungen werden \xFCbernommen:");
     log.newline();
     const pathsToApply = selectedPaths || diff.changes.map((c) => c.path);
-    for (const path15 of pathsToApply) {
-      const change = diff.changes.find((c) => c.path === path15);
+    for (const path16 of pathsToApply) {
+      const change = diff.changes.find((c) => c.path === path16);
       if (change) {
-        console.log(`  ${formatChangeType(change.type)} ${path15}`);
+        console.log(`  ${formatChangeType(change.type)} ${path16}`);
       }
     }
     log.newline();
@@ -7547,7 +7797,7 @@ sessionCommand.command("config").description("Sandbox-Konfiguration verwalten").
 import { Command as Command15 } from "commander";
 import { spawn as spawn5, spawnSync as spawnSync5 } from "child_process";
 import * as fs5 from "fs";
-import * as path5 from "path";
+import * as path6 from "path";
 import inquirer6 from "inquirer";
 var githubCommand = new Command15("github").description("GitHub Integration verwalten").action(() => {
   showStatus();
@@ -7969,9 +8219,9 @@ githubCommand.command("git-hook").description("Git Hooks f\xFCr Branch-Session I
     log.error("Kein Git Repository");
     return;
   }
-  const gitDir = path5.join(cwd, ".git");
-  const hooksDir = path5.join(gitDir, "hooks");
-  const hookFile = path5.join(hooksDir, "post-checkout");
+  const gitDir = path6.join(cwd, ".git");
+  const hooksDir = path6.join(gitDir, "hooks");
+  const hookFile = path6.join(hooksDir, "post-checkout");
   if (options.uninstall) {
     if (fs5.existsSync(hookFile)) {
       const content = fs5.readFileSync(hookFile, "utf-8");
@@ -8045,13 +8295,13 @@ githubCommand.command("map").description("Aktuellen Branch mit einer Session ver
     initShivaDir(cwd);
   }
   if (!sessionId) {
-    const { findProject: findProject3 } = await import("./manager-LXNF7QWT.js");
+    const { findProject: findProject3 } = await import("./manager-ZPQWG7E6.js");
     const project = await findProject3(cwd);
     if (!project || project.sessions.length === 0) {
       log.error("Keine Sessions f\xFCr dieses Projekt gefunden");
       return;
     }
-    const { formatDate: formatDate2 } = await import("./manager-LXNF7QWT.js");
+    const { formatDate: formatDate2 } = await import("./manager-ZPQWG7E6.js");
     const choices = project.sessions.slice(0, 10).map((s) => {
       const time = formatDate2(s.modified);
       const msgs = `${s.messageCount} msgs`;
@@ -8360,7 +8610,7 @@ var prsCommand = new Command17("prs").description("GitHub Pull Requests \xFCber
 import { Command as Command18 } from "commander";
 import { readFile } from "fs/promises";
 import { existsSync as existsSync12 } from "fs";
-import { join as join6, resolve as resolve7 } from "path";
+import { join as join7, resolve as resolve7 } from "path";
 
 // src/services/security/package-scanner.ts
 import Conf4 from "conf";
@@ -9713,9 +9963,9 @@ async function parsePackageJson(filePath) {
   }
   const dir = resolve7(filePath, "..");
   let manager = "npm";
-  if (existsSync12(join6(dir, "pnpm-lock.yaml"))) {
+  if (existsSync12(join7(dir, "pnpm-lock.yaml"))) {
     manager = "pnpm";
-  } else if (existsSync12(join6(dir, "yarn.lock"))) {
+  } else if (existsSync12(join7(dir, "yarn.lock"))) {
     manager = "yarn";
   }
   return { packages, manager };
@@ -9816,15 +10066,15 @@ var scanCommand = new Command18("scan").description("Scanne Packages auf Sicherh
   }
   if (options.project) {
     const cwd = process.cwd();
-    if (existsSync12(join6(cwd, "package.json"))) {
-      const parsed = await parsePackageJson(join6(cwd, "package.json"));
+    if (existsSync12(join7(cwd, "package.json"))) {
+      const parsed = await parsePackageJson(join7(cwd, "package.json"));
       packagesToScan = parsed.packages;
       manager = parsed.manager;
-    } else if (existsSync12(join6(cwd, "requirements.txt"))) {
-      packagesToScan = await parseRequirementsTxt(join6(cwd, "requirements.txt"));
+    } else if (existsSync12(join7(cwd, "requirements.txt"))) {
+      packagesToScan = await parseRequirementsTxt(join7(cwd, "requirements.txt"));
       manager = "pip";
-    } else if (existsSync12(join6(cwd, "Cargo.toml"))) {
-      packagesToScan = await parseCargoToml(join6(cwd, "Cargo.toml"));
+    } else if (existsSync12(join7(cwd, "Cargo.toml"))) {
+      packagesToScan = await parseCargoToml(join7(cwd, "Cargo.toml"));
       manager = "cargo";
     } else {
       log.error("No dependency file found in current directory");
@@ -10528,10 +10778,10 @@ import { Command as Command20 } from "commander";
 import inquirer8 from "inquirer";
 import ora13 from "ora";
 import * as fs6 from "fs";
-import * as path6 from "path";
+import * as path7 from "path";
 
 // src/utils/clipboard.ts
-import { execSync as execSync4, spawnSync as spawnSync6 } from "child_process";
+import { execSync as execSync2, spawnSync as spawnSync6 } from "child_process";
 var CLIPBOARD_COMMANDS = [
   // Wayland (modern Linux)
   { command: "wl-copy", args: [], check: "wl-copy" },
@@ -10544,7 +10794,7 @@ var CLIPBOARD_COMMANDS = [
 ];
 function commandExists2(command) {
   try {
-    execSync4(`which ${command}`, { stdio: "ignore" });
+    execSync2(`which ${command}`, { stdio: "ignore" });
     return true;
   } catch {
     return false;
@@ -10590,6 +10840,7 @@ function getClipboardInstallInstructions() {
 }
 
 // src/commands/security/secrets.ts
+var SECURE_FILE_MODE = 384;
 var secretsCommand = new Command20("secrets").description("API Keys und Secrets verwalten (Cloud Vault)").action(async () => {
   await listSecrets();
 });
@@ -10744,7 +10995,7 @@ secretsCommand.command("remove").alias("rm").alias("delete").description("Secret
     log.error(error instanceof Error ? error.message : "Fehler beim L\xF6schen");
   }
 });
-secretsCommand.command("get").description("Secret-Wert anzeigen (vorsicht!)").argument("<key>", "Secret-Name").option("-p, --project <id>", "Projekt-spezifisches Secret").option("-c, --copy", "In Zwischenablage kopieren").option("-q, --quiet", "Nur Wert ausgeben (f\xFCr Skripte)").action(async (key, options) => {
+secretsCommand.command("get").description("Secret-Wert anzeigen (maskiert)").argument("<key>", "Secret-Name").option("-p, --project <id>", "Projekt-spezifisches Secret").option("-c, --copy", "In Zwischenablage kopieren").option("-r, --reveal", "Vollst\xE4ndigen Wert anzeigen (Sicherheitsrisiko!)").option("-q, --quiet", "Nur Wert ausgeben (f\xFCr Skripte)").action(async (key, options) => {
   if (!isAuthenticated()) {
     log.errorWithSuggestion(Errors.NOT_AUTHENTICATED());
     return;
@@ -10796,7 +11047,12 @@ secretsCommand.command("get").description("Secret-Wert anzeigen (vorsicht!)").ar
     }
     log.newline();
     log.keyValue("Key", result.key);
-    log.keyValue("Value", result.value);
+    if (options.reveal) {
+      log.keyValue("Value", result.value);
+    } else {
+      log.keyValue("Value", maskSecret(result.value));
+      log.dim("Vollst\xE4ndiger Wert mit --reveal oder -r anzeigen");
+    }
     log.keyValue("Scope", result.scope);
     log.newline();
   } catch (error) {
@@ -10828,10 +11084,10 @@ secretsCommand.command("env").description("Secrets als .env Format ausgeben").op
     spinner.stop();
     const envContent = Object.entries(secrets).map(([key, value]) => `${key}="${value}"`).join("\n");
     if (options.output) {
-      const { writeFileSync: writeFileSync11 } = await import("fs");
-      writeFileSync11(options.output, envContent + "\n", "utf-8");
+      fs6.writeFileSync(options.output, envContent + "\n", { mode: SECURE_FILE_MODE });
       log.success(`Secrets in ${options.output} geschrieben`);
       log.warn("Diese Datei enth\xE4lt sensible Daten!");
+      log.dim(`Datei-Berechtigungen auf ${SECURE_FILE_MODE.toString(8)} gesetzt`);
     } else {
       log.newline();
       console.log(envContent);
@@ -10847,7 +11103,7 @@ secretsCommand.command("import").description(".env Datei in Vault importieren").
     log.errorWithSuggestion(Errors.NOT_AUTHENTICATED());
     return;
   }
-  const filePath = path6.resolve(file);
+  const filePath = path7.resolve(file);
   if (!fs6.existsSync(filePath)) {
     log.errorWithSuggestion(Errors.FILE_NOT_FOUND(file));
     return;
@@ -10880,7 +11136,7 @@ secretsCommand.command("import").description(".env Datei in Vault importieren").
     log.listItem(`${secret.key} = ${preview}`);
   }
   log.newline();
-  log.dim(`${secrets.length} Secret(s) aus ${path6.basename(file)}`);
+  log.dim(`${secrets.length} Secret(s) aus ${path7.basename(file)}`);
   log.newline();
   if (options.dryRun) {
     log.info("Dry-run: Keine \xC4nderungen vorgenommen");
@@ -10954,9 +11210,10 @@ secretsCommand.command("export").description("Secrets exportieren").option("-p,
       }).join("\n");
     }
     if (options.output) {
-      fs6.writeFileSync(options.output, output + "\n", "utf-8");
+      fs6.writeFileSync(options.output, output + "\n", { mode: SECURE_FILE_MODE });
       log.success(`Secrets in ${options.output} geschrieben`);
       log.warn("Diese Datei enth\xE4lt sensible Daten!");
+      log.dim(`Datei-Berechtigungen auf ${SECURE_FILE_MODE.toString(8)} gesetzt`);
       log.dim("Zur .gitignore hinzuf\xFCgen!");
     } else {
       log.newline();
@@ -10976,22 +11233,22 @@ import ora14 from "ora";
 
 // src/services/data/memory.ts
 import * as fs7 from "fs";
-import * as path7 from "path";
-import * as os4 from "os";
+import * as path8 from "path";
+import * as os5 from "os";
 function findAllClaudeMdFiles() {
   const results = [];
-  const sessionsPath = path7.join(os4.homedir(), ".claude", "projects");
+  const sessionsPath = path8.join(os5.homedir(), ".claude", "projects");
   if (fs7.existsSync(sessionsPath)) {
     const dirs = fs7.readdirSync(sessionsPath);
     for (const dir of dirs) {
       const projectPath = decodeProjectPath(dir);
       if (projectPath && fs7.existsSync(projectPath)) {
-        const claudeMdPath = path7.join(projectPath, "CLAUDE.md");
+        const claudeMdPath = path8.join(projectPath, "CLAUDE.md");
         if (fs7.existsSync(claudeMdPath)) {
           results.push({
             path: claudeMdPath,
             projectPath,
-            projectName: path7.basename(projectPath)
+            projectName: path8.basename(projectPath)
           });
         }
       }
@@ -11103,7 +11360,7 @@ async function searchMemories(query, options = {}) {
   };
 }
 function deleteLocalMemory(projectPath, key) {
-  const claudeMdPath = path7.join(projectPath, "CLAUDE.md");
+  const claudeMdPath = path8.join(projectPath, "CLAUDE.md");
   if (!fs7.existsSync(claudeMdPath)) {
     return false;
   }
@@ -11153,7 +11410,7 @@ async function deleteMemory(projectPath, key, options = {}) {
 }
 async function deleteAllProjectMemories(projectPath) {
   const result = { local: 0, cloud: 0 };
-  const claudeMdPath = path7.join(projectPath, "CLAUDE.md");
+  const claudeMdPath = path8.join(projectPath, "CLAUDE.md");
   if (fs7.existsSync(claudeMdPath)) {
     try {
       let content = fs7.readFileSync(claudeMdPath, "utf-8");
@@ -11182,8 +11439,8 @@ async function deleteAllProjectMemories(projectPath) {
   return result;
 }
 async function getContextPreview(projectPath) {
-  const projectName = path7.basename(projectPath);
-  const claudeMdPath = path7.join(projectPath, "CLAUDE.md");
+  const projectName = path8.basename(projectPath);
+  const claudeMdPath = path8.join(projectPath, "CLAUDE.md");
   const preview = {
     projectName,
     projectPath,
@@ -11205,8 +11462,8 @@ async function getContextPreview(projectPath) {
       projectPath
     }));
   }
-  const shivaDir = path7.join(projectPath, ".shiva");
-  const contextPath = path7.join(shivaDir, "github-context.md");
+  const shivaDir = path8.join(projectPath, ".shiva");
+  const contextPath = path8.join(shivaDir, "github-context.md");
   if (fs7.existsSync(contextPath)) {
     const content = fs7.readFileSync(contextPath, "utf-8");
     preview.githubContext = content;
@@ -11300,7 +11557,7 @@ function escapeRegex2(str) {
 
 // src/commands/memory/forget.ts
 import { Command as Command22 } from "commander";
-import * as path8 from "path";
+import * as path9 from "path";
 import inquirer9 from "inquirer";
 import ora15 from "ora";
 var forgetCommand = new Command22("forget").description("Memories l\xF6schen (GDPR)").argument("[key]", "Memory-Key zum L\xF6schen").option("-p, --project <path>", "Projekt-Pfad").option("--all", "Alle Memories eines Projekts l\xF6schen").option("--search <query>", "Memories nach Suchbegriff l\xF6schen").option("--local-only", "Nur lokal l\xF6schen").option("--cloud-only", "Nur aus Cloud l\xF6schen").option("-f, --force", "Ohne Best\xE4tigung l\xF6schen").option("--dry-run", "Nur anzeigen, was gel\xF6scht w\xFCrde").action(async (key, options) => {
@@ -11308,7 +11565,7 @@ var forgetCommand = new Command22("forget").description("Memories l\xF6schen (GD
   console.log(colors.orange.bold("SHIVA Code - Forget"));
   console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   log.newline();
-  const projectPath = options.project ? path8.resolve(options.project) : process.cwd();
+  const projectPath = options.project ? path9.resolve(options.project) : process.cwd();
   if (options.all) {
     await handleDeleteAll(projectPath, options);
     return;
@@ -11324,7 +11581,7 @@ var forgetCommand = new Command22("forget").description("Memories l\xF6schen (GD
   await handleInteractiveDelete(projectPath, options);
 });
 async function handleDeleteAll(projectPath, options) {
-  const projectName = path8.basename(projectPath);
+  const projectName = path9.basename(projectPath);
   console.log(colors.red.bold("\u26A0\uFE0F  WARNUNG: Alle Memories l\xF6schen"));
   console.log(colors.dim(`Projekt: ${projectName}`));
   console.log(colors.dim(`Pfad: ${projectPath}`));
@@ -11430,7 +11687,7 @@ async function handleDeleteBySearch(query, projectPath, options) {
 }
 async function handleDeleteKey(key, projectPath, options) {
   console.log(colors.bold(`Memory l\xF6schen: ${key}`));
-  console.log(colors.dim(`Projekt: ${path8.basename(projectPath)}`));
+  console.log(colors.dim(`Projekt: ${path9.basename(projectPath)}`));
   log.newline();
   if (options.dryRun) {
     log.info("Dry-run: Keine \xC4nderungen werden vorgenommen");
@@ -11545,12 +11802,12 @@ function truncate(str, maxLen) {
 
 // src/commands/memory/context.ts
 import { Command as Command23 } from "commander";
-import * as path9 from "path";
+import * as path10 from "path";
 import * as fs8 from "fs";
 import ora16 from "ora";
 var contextCommand = new Command23("context").description("Zeigt was in Claude injected w\xFCrde").option("-d, --dir <path>", "Projektverzeichnis").option("--github", "GitHub Context einschlie\xDFen").option("--secrets", "Secret-Keys anzeigen").option("--raw", "Rohe CLAUDE.md Ausgabe").option("--json", "JSON Ausgabe").option("-s, --size", "Nur Gr\xF6\xDFe anzeigen").action(async (options) => {
-  const projectPath = options.dir ? path9.resolve(options.dir) : process.cwd();
-  const projectName = path9.basename(projectPath);
+  const projectPath = options.dir ? path10.resolve(options.dir) : process.cwd();
+  const projectName = path10.basename(projectPath);
   if (!fs8.existsSync(projectPath)) {
     log.error(`Verzeichnis nicht gefunden: ${projectPath}`);
     return;
@@ -11934,15 +12191,15 @@ async function resolveSessionId(input) {
 
 // src/commands/memory/export.ts
 import { Command as Command25 } from "commander";
-import * as path11 from "path";
+import * as path12 from "path";
 import * as fs10 from "fs";
 import ora17 from "ora";
 import inquirer11 from "inquirer";
 
 // src/services/session/export.ts
 import * as fs9 from "fs";
-import * as path10 from "path";
-import { execSync as execSync5 } from "child_process";
+import * as path11 from "path";
+import { execSync as execSync3 } from "child_process";
 async function exportSession(sessionId, options = {}) {
   const projects = await getAllClaudeProjects();
   for (const project of projects) {
@@ -11957,7 +12214,7 @@ async function exportSession(sessionId, options = {}) {
         tags: getSessionTags(sessionId)
       };
       if (options.includeTranscript) {
-        const transcriptPath = path10.join(
+        const transcriptPath = path11.join(
           getClaudeProjectsPath(),
           encodeProjectPath(project.absolutePath),
           session.sessionId + ".jsonl"
@@ -11967,7 +12224,7 @@ async function exportSession(sessionId, options = {}) {
         }
       }
       if (options.includeConversation && options.includeTranscript) {
-        const transcriptPath = path10.join(
+        const transcriptPath = path11.join(
           getClaudeProjectsPath(),
           encodeProjectPath(project.absolutePath),
           session.sessionId + ".jsonl"
@@ -12008,7 +12265,7 @@ async function exportSessions(sessionIds, outputDir, options = {}) {
     const exported = await exportSession(sessionId, options);
     if (exported) {
       const filename = `${exported.projectName}-${sessionId.slice(0, 8)}.json`;
-      const filepath = path10.join(outputDir, filename);
+      const filepath = path11.join(outputDir, filename);
       fs9.writeFileSync(filepath, JSON.stringify(exported, null, 2));
       success++;
     } else {
@@ -12038,7 +12295,7 @@ function createBackupArchive(outputPath, projectPaths) {
     if (projectPaths && projectPaths.length > 0) {
       for (const p of projectPaths) {
         const encoded = encodeProjectPath(p);
-        const fullPath = path10.join(claudeDir, encoded);
+        const fullPath = path11.join(claudeDir, encoded);
         if (fs9.existsSync(fullPath)) {
           includePaths.push(encoded);
         }
@@ -12046,7 +12303,7 @@ function createBackupArchive(outputPath, projectPaths) {
     } else {
       const entries = fs9.readdirSync(claudeDir);
       includePaths = entries.filter((e) => {
-        const stat = fs9.statSync(path10.join(claudeDir, e));
+        const stat = fs9.statSync(path11.join(claudeDir, e));
         return stat.isDirectory();
       });
     }
@@ -12054,7 +12311,7 @@ function createBackupArchive(outputPath, projectPaths) {
       return false;
     }
     const tarArgs = includePaths.join(" ");
-    execSync5(`tar -czf "${outputPath}" -C "${claudeDir}" ${tarArgs}`, {
+    execSync3(`tar -czf "${outputPath}" -C "${claudeDir}" ${tarArgs}`, {
       stdio: "ignore"
     });
     return true;
@@ -12066,11 +12323,11 @@ async function importSession(data, targetProjectPath) {
   try {
     const projectPath = targetProjectPath || data.projectPath;
     const encodedPath = encodeProjectPath(projectPath);
-    const sessionDir = path10.join(getClaudeProjectsPath(), encodedPath);
+    const sessionDir = path11.join(getClaudeProjectsPath(), encodedPath);
     if (!fs9.existsSync(sessionDir)) {
       fs9.mkdirSync(sessionDir, { recursive: true });
     }
-    const sessionFile = path10.join(sessionDir, data.session.sessionId + ".jsonl");
+    const sessionFile = path11.join(sessionDir, data.session.sessionId + ".jsonl");
     if (fs9.existsSync(sessionFile)) {
       return {
         success: false,
@@ -12142,7 +12399,7 @@ async function importSessionsFromDirectory(dirPath, targetProjectPath) {
   let success = 0;
   let failed = 0;
   for (const file of files) {
-    const filepath = path10.join(dirPath, file);
+    const filepath = path11.join(dirPath, file);
     const result = await importSessionFromFile(filepath, targetProjectPath);
     results.push(result);
     if (result.success) {
@@ -12162,7 +12419,7 @@ function restoreFromArchive(archivePath, targetDir) {
     if (!fs9.existsSync(extractTo)) {
       fs9.mkdirSync(extractTo, { recursive: true });
     }
-    execSync5(`tar -xzf "${archivePath}" -C "${extractTo}"`, {
+    execSync3(`tar -xzf "${archivePath}" -C "${extractTo}"`, {
       stdio: "ignore"
     });
     return true;
@@ -12220,7 +12477,7 @@ var importCommand = new Command25("import").description("Sessions importieren").
   console.log(colors.orange.bold("SHIVA Code - Import"));
   console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   log.newline();
-  const absolutePath = path11.resolve(inputPath);
+  const absolutePath = path12.resolve(inputPath);
   if (!fs10.existsSync(absolutePath)) {
     log.error(`Datei nicht gefunden: ${absolutePath}`);
     return;
@@ -12243,7 +12500,7 @@ var importCommand = new Command25("import").description("Sessions importieren").
 async function handleBackup(outputPath) {
   const spinner = ora17("Erstelle Backup...").start();
   const filename = `shiva-backup-${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}.tar.gz`;
-  const output = outputPath || path11.join(process.cwd(), filename);
+  const output = outputPath || path12.join(process.cwd(), filename);
   const success = createBackupArchive(output);
   if (success) {
     spinner.succeed(`Backup erstellt: ${output}`);
@@ -12262,7 +12519,7 @@ async function handleExportAll(outputDir, options = {}) {
     return;
   }
   spinner.text = `Exportiere ${allSessionIds.length} Sessions...`;
-  const output = outputDir || path11.join(process.cwd(), "shiva-export");
+  const output = outputDir || path12.join(process.cwd(), "shiva-export");
   const result = await exportSessions(allSessionIds, output, options);
   spinner.succeed(`Export abgeschlossen`);
   log.info(`${result.success} Sessions exportiert`);
@@ -12286,7 +12543,7 @@ async function handleExportProject(projectName, outputDir, options = {}) {
     return;
   }
   spinner.text = `Exportiere ${project.sessions.length} Sessions aus ${project.projectName}...`;
-  const output = outputDir || path11.join(process.cwd(), `${project.projectName}-export`);
+  const output = outputDir || path12.join(process.cwd(), `${project.projectName}-export`);
   const result = await exportProjectSessions(project.absolutePath, output, options);
   spinner.succeed(`Export abgeschlossen`);
   log.info(`${result.success} Sessions exportiert`);
@@ -12408,20 +12665,20 @@ async function handlePreview(filepath) {
 
 // src/commands/system/doctor.ts
 import { Command as Command26 } from "commander";
-import { execSync as execSync6 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 import * as fs11 from "fs";
-import * as path12 from "path";
-import * as os5 from "os";
+import * as path13 from "path";
+import * as os6 from "os";
 function tryExec(command) {
   try {
-    return execSync6(command, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+    return execSync4(command, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
   } catch {
     return null;
   }
 }
 function commandExists3(cmd) {
   try {
-    execSync6(`which ${cmd}`, { stdio: ["pipe", "pipe", "pipe"] });
+    execSync4(`which ${cmd}`, { stdio: ["pipe", "pipe", "pipe"] });
     return true;
   } catch {
     return false;
@@ -12572,8 +12829,8 @@ function checkNpm() {
   };
 }
 function checkShivaConfig() {
-  const configDir = path12.join(os5.homedir(), ".config", "shiva-code");
-  const configFile = path12.join(configDir, "config.json");
+  const configDir = path13.join(os6.homedir(), ".config", "shiva-code");
+  const configFile = path13.join(configDir, "config.json");
   if (!fs11.existsSync(configDir)) {
     return {
       name: "SHIVA Config",
@@ -12597,7 +12854,7 @@ function checkShivaConfig() {
   };
 }
 function checkClaudeProjects() {
-  const claudeDir = path12.join(os5.homedir(), ".claude", "projects");
+  const claudeDir = path13.join(os6.homedir(), ".claude", "projects");
   if (!fs11.existsSync(claudeDir)) {
     return {
       name: "Claude Projects",
@@ -12608,7 +12865,7 @@ function checkClaudeProjects() {
   }
   try {
     const projects = fs11.readdirSync(claudeDir).filter(
-      (f) => fs11.statSync(path12.join(claudeDir, f)).isDirectory()
+      (f) => fs11.statSync(path13.join(claudeDir, f)).isDirectory()
     );
     return {
       name: "Claude Projects",
@@ -12641,11 +12898,11 @@ function checkTmux() {
   };
 }
 function getSystemInfo() {
-  const totalMem = os5.totalmem();
+  const totalMem = os6.totalmem();
   const memGB = (totalMem / (1024 * 1024 * 1024)).toFixed(1);
   return {
-    os: `${os5.type()} ${os5.release()}`,
-    arch: os5.arch(),
+    os: `${os6.type()} ${os6.release()}`,
+    arch: os6.arch(),
     memory: `${memGB} GB`
   };
 }
@@ -12735,16 +12992,16 @@ var doctorCommand = new Command26("doctor").description("System-Check f\xFCr SHI
 
 // src/commands/system/upgrade.ts
 import { Command as Command27 } from "commander";
-import { execSync as execSync7, spawn as spawn6 } from "child_process";
+import { execSync as execSync5, spawn as spawn6 } from "child_process";
 import * as fs12 from "fs";
-import * as path13 from "path";
+import * as path14 from "path";
 import { fileURLToPath } from "url";
 var __filename = fileURLToPath(import.meta.url);
-var __dirname = path13.dirname(__filename);
+var __dirname = path14.dirname(__filename);
 var PACKAGE_NAME = "shiva-code";
 function getCurrentVersion() {
   try {
-    const packageJsonPath = path13.resolve(__dirname, "../../package.json");
+    const packageJsonPath = path14.resolve(__dirname, "../../package.json");
     if (fs12.existsSync(packageJsonPath)) {
       const packageJson = JSON.parse(fs12.readFileSync(packageJsonPath, "utf-8"));
       return packageJson.version || "0.0.0";
@@ -12761,7 +13018,7 @@ async function getLatestVersion() {
     return data["dist-tags"]?.latest || null;
   } catch {
     try {
-      const output = execSync7(`npm view ${PACKAGE_NAME} version 2>/dev/null`, {
+      const output = execSync5(`npm view ${PACKAGE_NAME} version 2>/dev/null`, {
         encoding: "utf-8"
       }).trim();
       return output || null;
@@ -12792,17 +13049,17 @@ async function checkForUpdates() {
 }
 function detectPackageManager2() {
   try {
-    const npmGlobal = execSync7("npm list -g --depth=0 2>/dev/null", { encoding: "utf-8" });
+    const npmGlobal = execSync5("npm list -g --depth=0 2>/dev/null", { encoding: "utf-8" });
     if (npmGlobal.includes(PACKAGE_NAME)) return "npm";
   } catch {
   }
   try {
-    const yarnGlobal = execSync7("yarn global list 2>/dev/null", { encoding: "utf-8" });
+    const yarnGlobal = execSync5("yarn global list 2>/dev/null", { encoding: "utf-8" });
     if (yarnGlobal.includes(PACKAGE_NAME)) return "yarn";
   } catch {
   }
   try {
-    const pnpmGlobal = execSync7("pnpm list -g 2>/dev/null", { encoding: "utf-8" });
+    const pnpmGlobal = execSync5("pnpm list -g 2>/dev/null", { encoding: "utf-8" });
     if (pnpmGlobal.includes(PACKAGE_NAME)) return "pnpm";
   } catch {
   }
@@ -13144,9 +13401,9 @@ complete -F _shiva_completions shiva
 }
 async function installBashCompletion() {
   const fs15 = await import("fs");
-  const os7 = await import("os");
-  const path15 = await import("path");
-  const bashrcPath = path15.join(os7.homedir(), ".bashrc");
+  const os8 = await import("os");
+  const path16 = await import("path");
+  const bashrcPath = path16.join(os8.homedir(), ".bashrc");
   const completionScript = generateBashCompletion();
   const marker = "# SHIVA Code Bash Completion";
   try {
@@ -13287,9 +13544,9 @@ compdef _shiva shiva
 }
 async function installZshCompletion() {
   const fs15 = await import("fs");
-  const os7 = await import("os");
-  const path15 = await import("path");
-  const zshrcPath = path15.join(os7.homedir(), ".zshrc");
+  const os8 = await import("os");
+  const path16 = await import("path");
+  const zshrcPath = path16.join(os8.homedir(), ".zshrc");
   const completionScript = generateZshCompletion();
   const marker = "# SHIVA Code Zsh Completion";
   try {
@@ -13392,10 +13649,10 @@ complete -c shiva -n "__fish_seen_subcommand_from stats" -l json -d "JSON Output
 }
 async function installFishCompletion() {
   const fs15 = await import("fs");
-  const os7 = await import("os");
-  const path15 = await import("path");
-  const fishCompletionsDir = path15.join(os7.homedir(), ".config", "fish", "completions");
-  const fishCompletionPath = path15.join(fishCompletionsDir, "shiva.fish");
+  const os8 = await import("os");
+  const path16 = await import("path");
+  const fishCompletionsDir = path16.join(os8.homedir(), ".config", "fish", "completions");
+  const fishCompletionPath = path16.join(fishCompletionsDir, "shiva.fish");
   const completionScript = generateFishCompletion();
   try {
     if (!fs15.existsSync(fishCompletionsDir)) {
@@ -13803,8 +14060,8 @@ dockerCommand.action(() => {
 // src/commands/advanced/workflow.ts
 import { Command as Command32 } from "commander";
 import * as fs13 from "fs";
-import * as path14 from "path";
-import * as os6 from "os";
+import * as path15 from "path";
+import * as os7 from "os";
 import ora20 from "ora";
 import inquirer12 from "inquirer";
 var builtInWorkflows = {
@@ -13963,7 +14220,7 @@ workflowCommand.command("delete").alias("rm").description("Workflow l\xF6schen")
   log.success(`Workflow "${name}" gel\xF6scht`);
 });
 function getWorkflowsPath() {
-  return path14.join(os6.homedir(), ".shiva", "workflows.json");
+  return path15.join(os7.homedir(), ".shiva", "workflows.json");
 }
 function loadCustomWorkflows() {
   const filepath = getWorkflowsPath();
@@ -13979,7 +14236,7 @@ function loadCustomWorkflows() {
 }
 function saveCustomWorkflow(name, workflow) {
   const filepath = getWorkflowsPath();
-  const dir = path14.dirname(filepath);
+  const dir = path15.dirname(filepath);
   if (!fs13.existsSync(dir)) {
     fs13.mkdirSync(dir, { recursive: true });
   }
@@ -14082,9 +14339,9 @@ async function executeStep(step) {
 // src/commands/advanced/hook.ts
 import { Command as Command33 } from "commander";
 import { existsSync as existsSync21, readFileSync as readFileSync10, writeFileSync as writeFileSync10, mkdirSync as mkdirSync6 } from "fs";
-import { homedir as homedir7 } from "os";
-import { join as join12 } from "path";
-var CLAUDE_SETTINGS_PATH = join12(homedir7(), ".claude", "settings.json");
+import { homedir as homedir8 } from "os";
+import { join as join13 } from "path";
+var CLAUDE_SETTINGS_PATH = join13(homedir8(), ".claude", "settings.json");
 function getClaudeSettings() {
   if (!existsSync21(CLAUDE_SETTINGS_PATH)) {
     return {};
@@ -14097,7 +14354,7 @@ function getClaudeSettings() {
   }
 }
 function saveClaudeSettings(settings) {
-  const dir = join12(homedir7(), ".claude");
+  const dir = join13(homedir8(), ".claude");
   if (!existsSync21(dir)) {
     mkdirSync6(dir, { recursive: true });
   }
@@ -14118,7 +14375,7 @@ function removeShivaHooks(eventHooks) {
 var hookCommand = new Command33("hook").description("Claude Code Hook Integration verwalten");
 hookCommand.command("install").description("SHIVA Hooks in Claude Code installieren").option("--github", "GitHub Context Injection aktivieren").option("--sync", "Cloud Sync Hooks aktivieren (Standard)").option("--scan", "Package Security Scanning aktivieren").option("--all", "Alle Hooks aktivieren").action((options) => {
   log.brand();
-  const claudePath = join12(homedir7(), ".claude");
+  const claudePath = join13(homedir8(), ".claude");
   if (!existsSync21(claudePath)) {
     log.error("Claude Code nicht gefunden");
     log.newline();
@@ -14387,7 +14644,7 @@ hookCommand.command("branch-switch").description("Branch-Wechsel behandeln (f\xF
   }
   const { getCurrentBranch: getCurrentBranch2 } = await import("./api-OEHQTBH7.js");
   const { getSessionForBranch: getSessionForBranch2, hasShivaDir: hasShivaDir2 } = await import("./config-D6M6LI6U.js");
-  const { findProject: findProject3, findSessionByBranch: findSessionByBranch2, formatRelativeTime: formatRelativeTime3 } = await import("./manager-LXNF7QWT.js");
+  const { findProject: findProject3, findSessionByBranch: findSessionByBranch2, formatRelativeTime: formatRelativeTime3 } = await import("./manager-ZPQWG7E6.js");
   const projectPath = process.cwd();
   const newBranch = getCurrentBranch2(projectPath);
   let sessionInfo = null;
@@ -14639,7 +14896,7 @@ function listPackages() {
 
 // src/index.ts
 var program = new Command35();
-program.name("shiva").description("SHIVA Code - Control Station for Claude Code").version("0.5.0");
+program.name("shiva").description("SHIVA Code - Control Station for Claude Code").version("0.5.1");
 program.addCommand(loginCommand);
 program.addCommand(logoutCommand);
 program.addCommand(sessionsCommand);
@@ -14852,7 +15109,7 @@ async function showDashboard() {
       const packageName = selected.data;
       log.newline();
       log.success(`Starte Package ${packageName}...`);
-      const { getPackageLaunchConfig: getPackageLaunchConfig2 } = await import("./package-manager-WF3UW2J4.js");
+      const { getPackageLaunchConfig: getPackageLaunchConfig2 } = await import("./package-manager-NHNQATBH.js");
       const launches = await getPackageLaunchConfig2(packageName);
       if (launches.length > 0) {
         await spawnProjects(launches, detectTerminal());