Security fixes, bug fixes, and native macOS fallback toolkit

[Ginkgo-AI]

Summary

This PR addresses several security vulnerabilities and bugs found during a code review, and adds documentation for a native macOS fallback toolkit when the steer binary is unavailable.

Security fixes

• Auth on listen server — all endpoints now require an X-API-Key header matching LISTEN_API_KEY in the environment. Without this, any host on the local network could submit jobs that execute arbitrary shell commands with --dangerously-skip-permissions.
• Localhost binding — server binds to 127.0.0.1 by default instead of 0.0.0.0. Set LISTEN_HOST=0.0.0.0 to override intentionally.
• Path traversal + job_id injection — job_id is now validated against ^[0-9a-f]{8}$ with an additional is_relative_to(JOBS_DIR) check on every endpoint.
• API key no longer in scrollback — ANTHROPIC_API_KEY is injected via tmux setenv instead of embedded in the command string, so it doesn't appear in capture-pane output.
• Secure temp files — tempfile.mkstemp() with 0o600 permissions replaces predictable /tmp/steer-<id>.txt paths (eliminates TOCTOU window and world-readable files).
• AppleScript injection — both worker.py and tmux.py now write commands to a temp shell script instead of embedding them in AppleScript strings, preventing injection via special characters in cwd or session names.
• Prompt not exposed in process table — prompt is read from the job YAML by the worker instead of being passed as a CLI argument visible in ps aux.

Bug fixes

• NameError crash on every job — anthropic_key was referenced before load_dotenv assigned it in worker.py, crashing every worker immediately.
• Infinite job loop — _wait_for_sentinel had no timeout; added JOB_TIMEOUT_SECONDS = 3600.
• Hardcoded tmux path — replaced /opt/homebrew/bin/tmux with shutil.which("tmux") (consistent with drive).
• YAML race condition — all job YAML reads/writes now use fcntl.flock for exclusive/shared locking.
• Swift force-cast crash — axVal used as! AXValue which crashes on unexpected attribute types; changed to as? AXValue.
• Incomplete JSON escaping — Clipboard.swift, Type.swift, Hotkey.swift only escaped " and \n; now use JSONSerialization which handles all control characters per spec.
• Missing auth header in client — direct/client.py now sends X-API-Key on all requests.

Agent improvements

• Native macOS fallback toolkit — documented osascript, screencapture, pbpaste/pbcopy, curl, and open as first-class alternatives in steer/SKILL.md for environments where the steer binary is unavailable.
• Mandatory cleanup — system prompt now explicitly marks cleanup as mandatory, requires a pre-task snapshot of running apps, and asks for a confirmation update when cleanup is done.
• LISTEN_API_KEY in .env.sample — documents the new required env var.

Test plan

• Start listen server (just listen) — verify it starts on 127.0.0.1:7600
• just send "..." without LISTEN_API_KEY set — should get 500
• just send "..." with wrong key — should get 401
• just send "..." with correct key — job should start and complete
• Verify ANTHROPIC_API_KEY does not appear in tmux scrollback during job execution
• Try GET /job/../../../../etc/passwd — should return 400
• Build steer and verify no Swift compiler errors from as? change

🤖 Generated with Claude Code