fix: resolve medium/low audit findings across backend and frontend

- ctx CLI: validate int() limit arg, wrap FTS5 MATCH in try/except
- ctx.rs: FTS5 error message clarity, Mutex::lock() returns Err not panic
- sdk-messages.ts: runtime type guards (str/num) replace bare `as` casts
- agent-runner.ts: strip ANTHROPIC_* env vars alongside CLAUDE*
- agent-dispatcher.ts: timestamps use seconds (match session.rs convention)
- remote.rs: disconnect handler uses lock().await not try_lock()
- session.rs: propagate pane_ids serialization error
- watcher.rs: reject root-level paths instead of silent no-op
- lib.rs: log warnings on profile.toml read failure and resource_dir error
- agent-bridge.ts: validate event payload is object before cast

v2/src-tauri/src/lib.rs

@@ -240,7 +240,10 @@ fn claude_list_profiles() -> Vec<ClaudeProfile> {
             // Read profile.toml for metadata
             let toml_path = entry.path().join("profile.toml");
             let (email, subscription_type, display_name) = if toml_path.exists() {
-                let content = std::fs::read_to_string(&toml_path).unwrap_or_default();
+                let content = std::fs::read_to_string(&toml_path).unwrap_or_else(|e| {
+                    log::warn!("Failed to read {}: {e}", toml_path.display());
+                    String::new()
+                });
                 (
                     extract_toml_value(&content, "email"),
                     extract_toml_value(&content, "subscription_type"),
@@ -606,7 +609,10 @@ pub fn run() {
                 .handle()
                 .path()
                 .resource_dir()
-                .unwrap_or_default();
+                .unwrap_or_else(|e| {
+                    log::warn!("Failed to resolve resource_dir: {e}");
+                    std::path::PathBuf::new()
+                });
             let dev_root = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR"))
                 .parent()
                 .unwrap()