• fix(ci): prevent promote-release tag command injection (#1350)
• fix(ui-docs): remove third-party runtime assets from health report (#1349)
• fix(codex-auth): stop spawning powershell in shell detection (#1348)
• fix(analytics): harden sqlite3 invocation for native Droid usage scan (#1347)
• fix(codex-quota): guard feature label type in quota windows (#1346)
• fix(pricing): guard malformed models.dev model entries (#1344)
• fix(cliproxy): sanitize local port before config regeneration (#1342)
• fix(dispatcher): treat --print as non-subcommand Claude session (#1341)
• fix(cliproxy): disable spoofable default bg keepalive probe (#1340)