Security-first, or it isn't local-first

CVE-2025-59528 — the Antigravity sandbox escape (CVSS 10.0) — is why Mooter ships sandboxing as mandatory. Every spawn is wrapped in four layers, and there is no --no-sandbox.

1. Network egress — empty network namespace for isolated spawns.
2. Filesystem boundary — read-only root; one writable worktree; secret dirs masked.
3. Secrets scoping — cleared env + whitelist; provider keys excluded from local spawns.
4. Config protection — your settings stay read-only.

mooter security audit reports the layers on your host; mooter security spawn-test runs a real escape attempt and must block reading ~/.ssh, writing outside the worktree, and leaking the API key.