- bound fresh-clone JSONL discovery to the .beads dir (abs path, traversal guard) before reading counts
- add safeWorkspacePath/isWithinWorkspace helpers and use in doctor fixes (database_config, untracked) to reject absolute/traversal inputs and confine .gitattributes edits
- normalize git status paths and path-guard tests for cross-OS (Windows) compatibility
- add regression tests for the new guards
cb6ccef7c2