Fix 29 audit findings across all severity tiers

Critical: fix unsquashfs arg order, quote Exec paths with spaces,
fix compare_versions antisymmetry, chunk-based signature detection,
bounded ELF header reads.

High: handle NULL CVE severity, prevent pipe deadlock in inspector,
fix glob_match edge case, fix backup archive path collisions, async
crash detection with stderr capture.

Medium: gate scan on auto-scan setting, fix window size persistence,
fix announce() for Stack containers, claim lightbox gesture, use
serde_json for CLI output, remove dead CSS @media blocks, add
detail-tab persistence, remove invalid metainfo categories, byte-level
fuse signature search.

Low: tighten Wayland env var detection, ELF magic validation,
timeout for update info extraction, quoted arg parsing, stop watcher
timer on window destroy, GSettings choices/range constraints, remove
unused CSS classes, define status-ok/status-attention CSS.

src/cli.rs

@@ -112,21 +112,19 @@ fn cmd_list(db: &Database, format: &str) -> ExitCode {
     }
 
     if format == "json" {
-        // Simple JSON output
-        println!("[");
-        for (i, r) in records.iter().enumerate() {
-            let comma = if i + 1 < records.len() { "," } else { "" };
-            println!(
-                "  {{\"name\": \"{}\", \"version\": \"{}\", \"path\": \"{}\", \"size\": {}, \"integrated\": {}}}{}",
-                r.app_name.as_deref().unwrap_or(&r.filename),
-                r.app_version.as_deref().unwrap_or(""),
-                r.path,
-                r.size_bytes,
-                r.integrated,
-                comma,
-            );
-        }
-        println!("]");
+        let items: Vec<serde_json::Value> = records
+            .iter()
+            .map(|r| {
+                serde_json::json!({
+                    "name": r.app_name.as_deref().unwrap_or(&r.filename),
+                    "version": r.app_version.as_deref().unwrap_or(""),
+                    "path": r.path,
+                    "size": r.size_bytes,
+                    "integrated": r.integrated,
+                })
+            })
+            .collect();
+        println!("{}", serde_json::to_string_pretty(&items).unwrap_or_else(|_| "[]".into()));
         return ExitCode::SUCCESS;
     }