docs: document cross-window access and unbounded fetchAll

Add Security Considerations section to README covering shared state
across windows, resource limits, unbounded fetchAll, and path
validation. Add @remarks to the Database class and fetchAll() in
TypeScript, and a doc comment to the Rust fetch_all command.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pmorris-dev

README.md

@@ -948,6 +948,41 @@ Working Tauri demo apps are in the [`examples/`](examples) directory:
 See the [toolkit crate README](crates/sqlx-sqlite-toolkit/README.md#examples)
 for setup instructions.
 
+## Security Considerations
+
+### Cross-Window Shared State
+
+Database instances are shared across all webviews/windows within the same Tauri
+application. A database loaded in one window is accessible from any other window
+without calling `load()` again. Writes from one window are immediately visible
+to reads in another, and closing a database affects all windows.
+
+### Resource Limits
+
+The plugin enforces several resource limits to prevent denial-of-service from
+untrusted or buggy frontend code:
+
+   * **Database count**: Maximum 50 concurrently loaded databases (configurable
+     via `Builder::max_databases()`)
+   * **Interruptible transaction timeout**: Transactions that exceed the idle
+     timeout (default 5 minutes) are automatically rolled back on the next
+     access attempt (configurable via `Builder::transaction_timeout()`)
+   * **Observer channel capacity**: Capped at 10,000 (default 256)
+   * **Observed tables**: Maximum 100 tables per `observe()` call
+   * **Subscriptions**: Maximum 100 active subscriptions per database
+
+### Unbounded Result Sets
+
+`fetchAll()` returns the entire result set in a single response with no built-in
+size limit. For large or unbounded queries, prefer `fetchPage()` with keyset
+pagination to keep memory usage bounded on both the Rust and TypeScript sides.
+
+### Path Validation
+
+Database paths are validated to prevent directory traversal. Absolute paths,
+`..` segments, and null bytes are rejected. All paths are resolved relative to
+the app config directory.
+
 ## Development
 
 This project follows

guest-js/index.ts

@@ -757,6 +757,12 @@ class TransactionBuilder implements PromiseLike<WriteQueryResult[]> {
  *
  * The `Database` class serves as the primary interface for
  * communicating with SQLite databases through the plugin.
+ *
+ * @remarks
+ * Database instances are shared across all webviews/windows within the same Tauri
+ * application. A database loaded in one window is accessible from any other window
+ * without calling `load()` again. This means writes from one window are immediately
+ * visible to reads in another, and closing a database affects all windows.
  */
 export default class Database {
    public path: string;
@@ -930,6 +936,11 @@ export default class Database {
     *
     * SQLite uses `$1`, `$2`, etc. for parameter binding.
     *
+    * @remarks
+    * This method returns the entire result set in a single response. For large or
+    * unbounded queries, prefer {@link fetchPage} with keyset pagination to keep memory
+    * usage bounded on both the Rust and TypeScript sides.
+    *
     * @param query - SQL SELECT query
     * @param bindValues - Optional parameter values
     *

src/commands.rs

@@ -290,7 +290,10 @@ pub async fn execute_transaction(
    }
 }
 
-/// Execute a SELECT query returning all matching rows
+/// Execute a SELECT query returning all matching rows.
+///
+/// Returns the entire result set in a single response. For large or unbounded queries,
+/// prefer `fetch_page` with keyset pagination to keep memory usage bounded.
 #[tauri::command]
 pub async fn fetch_all(
    db_instances: State<'_, DbInstances>,