security: pass Haiku classifier prompt via stdin instead of argv

Scanned content (user messages, tool outputs up to 8KB) was passed as
a CLI argument to `claude -p <prompt>`, making it visible in `ps aux`
and `/proc/<pid>/cmdline` for up to 15 seconds per classification.
On shared Linux hosts (default hidepid=0) any local user could read it.

Fix: pipe the prompt through stdin (`claude -p` reads from stdin when
no argument follows) and scope the child env to PATH + HOME +
ANTHROPIC_API_KEY only.

Author: garagon

browse/src/security-classifier.ts

@@ -494,10 +494,20 @@ export async function checkTranscript(params: {
     // ~44k cache_creation tokens per call (massive cost inflation).
     // Using os.tmpdir() gives Haiku a clean context for pure classification.
     const p = spawn('claude', [
-      '-p', prompt,
+      '-p',
       '--model', HAIKU_MODEL,
       '--output-format', 'json',
-    ], { stdio: ['ignore', 'pipe', 'pipe'], cwd: os.tmpdir() });
+    ], {
+      stdio: ['pipe', 'pipe', 'pipe'],
+      cwd: os.tmpdir(),
+      env: {
+        PATH: process.env.PATH,
+        HOME: process.env.HOME,
+        ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,
+      },
+    });
+    p.stdin.write(prompt);
+    p.stdin.end();
 
     let stdout = '';
     let done = false;