This PR introduces targeted, non-destructive hardening improvements to the daemon's IPC and file handling architecture.

During load testing and security review of the local daemon setup, I identified a functional limitation with large CDP payloads, a potential ToCToU socket creation race, and a CWE-61 symlink vulnerability in the default /tmp logging mechanism.

1. Fix IPC Payload Limit (Architecture & Functional)

The Root Cause:
asyncio.start_unix_server limits the reader.readline() buffer to 64KB by default. If an agent injects a large JavaScript library via helpers.js() or sends a large DOM CDP payload, the daemon silently terminates the connection with a LimitOverrunError.
The Fix:
I explicitly passed limit=1024 * 1024 * 16 (16MB) to the Unix socket initialization to natively support arbitrarily large AI-generated scripts. (Note: Windows TCP loopback is intentionally left at 64KB to prevent unauthenticated local clients from forcing large pre-auth memory allocations).

2. Prevent Unix Socket Denial of Service (Robustness)

The Root Cause:
The daemon cleans up stale sockets using if os.path.exists(path): os.unlink(path). Because os.path.exists() resolves symlinks, it returns False if the path is a broken symlink. If a broken symlink exists at the socket path, the unlink is bypassed, and the bind() call fatally crashes with Address already in use.
The Fix:
Refactored socket cleanup to use the standard, race-free EAFP pattern: try: os.unlink(path) except OSError: pass.

3. Patch Log/PID Symlink Vulnerability (Security - CWE-61)

The Root Cause:
daemon.py created the LOG and PID files directly in /tmp. Because /tmp is a world-writable shared directory on POSIX systems, a malicious local user could execute a symlink attack (CWE-61) by pre-creating /tmp/bu-default.log as a symlink pointing to another user's sensitive file (e.g., ~/.bashrc). The daemon would blindly follow the symlink and overwrite the target file.
The Fix:
Introduced a safe_open_write() helper utilizing the low-level os.open syscall with the os.O_NOFOLLOW flag to strictly reject symlink traversal at the kernel level (falling back gracefully to standard behavior on Windows).

Summary by cubic

Hardened the daemon’s IPC and file handling for stability and security. Supports large Unix socket payloads and blocks symlink-based file overwrites.

• Bug Fixes

  • Raised Unix socket read limit to 16MB to handle large CDP/JS payloads; kept Windows TCP loopback at 64KB to reduce pre-auth DoS risk.
  • Switched socket cleanup to EAFP unlink (try/except OSError), fixing crashes when a broken symlink exists.

• Security

  • Added safe_open_write() using os.O_NOFOLLOW and 0600 perms; applied to LOG and PID in /tmp to prevent CWE-61 symlink overwrites.
  • Startup now fails closed if a symlink is detected; logging uses the safe appender.

^{Written for commit 1e59cc8. Summary will update on new commits. Review in cubic}