Intent-Code Divergence
Medium
- Confidence
- 90% confidence
- Finding
- The setup prompt tells users their login credentials will be stored locally, but the config schema also supports persisting session cookies in the same file. That creates a misleading disclosure boundary: users may believe only username/password are stored, while reusable authenticated session material may also be written to disk and later exposed through local compromise, backups, or accidental sharing.
