fix(security): strip terminal control chars from untrusted session fields

[jorgevazquez]

Summary

Claude Code session JSON embeds attacker-influenced strings (directory names, model display names, vim mode, agent name, etc.). A malicious repo can name a directory with raw ESC sequences (delivered as JSON \u001b escapes, which serde decodes to real control bytes); cship rendered these verbatim to stdout, where the terminal interprets them — enabling window-title spoofing, cursor repositioning to overwrite on-screen text, or OSC 52 clipboard writes (CWE-150).

Fix

• Add ansi::sanitize_control, which drops every Unicode Cc (control) character — ESC, BEL, BS, CR/LF/TAB, and the C1 range.
• Apply it once at ingest in context.rs::from_reader, after deserialization, to every untrusted string field. Raw JSON values never legitimately contain control bytes, and styling escapes are added later from trusted config, so this loses nothing while neutralizing injected sequences. Sanitizing at ingest covers every downstream consumer (modules, passthrough, explain, cache) uniformly.

Testing

• New unit tests for sanitize_control (strips C0/C1/DEL, preserves Unicode/spaces) and ingest (sanitize() over all fields, a from_reader JSON-escape decode→strip check, and a regression guard that clean values are untouched).
• Full suite green: 484 lib + 74 integration tests, cargo fmt --check, cargo clippy -D warnings, release build.
• Manual end-to-end: a payload with \u001b-escaped sequences in model.display_name and workspace.current_dir renders as inert text (]0;HACKEDX, [1A) with zero stray ESC bytes, while legitimate [s](bold green) styling still emits its ANSI.

🤖 Generated with Claude Code

[stephenleo]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance. Confirmed all 12 untrusted Option<String> fields on Context (including the recently-added effort.level) are covered by sanitize(), the char::is_control() filter correctly spans C0/C1/DEL, and sanitizing once at from_reader ingest protects all downstream consumers.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[stephenleo]

Pushed two docs additions to this branch (aa87e0e) to go with the code change:

• CHANGELOG.md — added a ### Security entry under [Unreleased] describing the control-char stripping and the CWE-150 injection vector it closes.
• docs/faq.md — added a FAQ entry, "Why are some characters missing from my path or model name?", noting that control bytes are stripped from untrusted session fields at ingest by design, that legitimate values are unaffected, and that the behavior can't be disabled — so anyone who sees stripped characters knows why.

No code changes — just documenting existing behavior so the stripping isn't surprising.

[stephenleo]

Thank you for your submission!