teernisse
eb8001dbf1
Security: Reject session paths containing '..' traversal segments or non-.jsonl extensions before resolving them. This prevents a malicious sessions-index.json from tricking the viewer into reading arbitrary files. Performance: Process all project directories concurrently with Promise.all instead of sequentially awaiting each one. Each directory's stat + readFile is independent I/O that benefits from parallelism. Add test case verifying that traversal paths and non-JSONL paths are rejected while valid paths pass through. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>