fix(security): contain install-state file ops to trusted root — RCE fix (GHSA-hfpv-w6mp-5g95)

Critical: project-local install-state (e.g. a cloned repo's .cursor/ecc-install-state.json)
is attacker-controllable, and repair/uninstall/auto-update replayed its operations with
destinationPath validated only for non-emptiness — confirmed arbitrary file write/delete
and chained RCE (write ~/.bashrc, .git/hooks, or run a planted install-apply.js).

- New scripts/lib/path-safety.js: assertWithinTrustedRoot() canonicalizes (incl. symlink
  escape via nearest-existing-ancestor realpath) and fails closed unless the destination is
  within the adapter-derived trusted root.
- install-lifecycle.js: gate executeRepairOperation + executeUninstallOperation + the
  install-state removal against record.targetRoot (the adapter-resolved root, NOT the
  attacker-supplied state.target.root).
- auto-update.js: validateRepoRoot now requires package.json name to be an official ECC
  package, so a planted nested repo can't drive auto-update into executing attacker code.
- 7 containment regression tests. Existing install-lifecycle/repair/uninstall/auto-update
  suites still green (legit destinations are within the root).

tests/lib/path-safety.test.js

@@ -0,0 +1,85 @@
+'use strict';
+/**
+ * Tests for scripts/lib/path-safety.js — the install-state containment guard
+ * that fixes arbitrary file write/delete via attacker-controlled install-state
+ * (GHSA-hfpv-w6mp-5g95).
+ */
+
+const assert = require('assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const { assertWithinTrustedRoot, isWithinRoot } = require('../../scripts/lib/path-safety');
+
+let passed = 0;
+let failed = 0;
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  PASS ${name}`);
+    passed += 1;
+  } catch (error) {
+    console.log(`  FAIL ${name}`);
+    console.log(`    ${error.message}`);
+    failed += 1;
+  }
+}
+
+const root = fs.mkdtempSync(path.join(os.tmpdir(), 'path-safety-root-'));
+const outside = fs.mkdtempSync(path.join(os.tmpdir(), 'path-safety-out-'));
+
+try {
+  test('allows a path inside the trusted root', () => {
+    const p = path.join(root, '.cursor', 'rules', 'x.md');
+    // Returns the canonicalized path (symlinks like /var -> /private/var resolved).
+    assert.doesNotThrow(() => assertWithinTrustedRoot(p, root, 'repair'));
+    assert.ok(assertWithinTrustedRoot(p, root, 'repair').endsWith(path.join('.cursor', 'rules', 'x.md')));
+    assert.strictEqual(isWithinRoot(p, root), true);
+  });
+
+  test('allows the root itself', () => {
+    assert.strictEqual(isWithinRoot(root, root), true);
+  });
+
+  test('refuses an absolute path outside the root', () => {
+    const evil = path.join(outside, 'PWNED.txt');
+    assert.throws(() => assertWithinTrustedRoot(evil, root, 'repair'), /outside the install root/);
+    assert.strictEqual(isWithinRoot(evil, root), false);
+  });
+
+  test('refuses a ../ traversal escape', () => {
+    const evil = path.join(root, '..', 'escape.txt');
+    assert.throws(() => assertWithinTrustedRoot(evil, root, 'uninstall'), /outside the install root/);
+  });
+
+  test('refuses a symlinked intermediate directory that escapes the root', () => {
+    const linkDir = path.join(root, 'link');
+    try {
+      fs.symlinkSync(outside, linkDir, 'dir');
+    } catch {
+      console.log('    (symlink unsupported on this platform; skipping)');
+      return;
+    }
+    // root/link -> outside, so root/link/PWNED resolves outside the root.
+    const evil = path.join(linkDir, 'PWNED.txt');
+    assert.throws(() => assertWithinTrustedRoot(evil, root, 'repair'), /outside the install root/);
+  });
+
+  test('refuses when no trusted root is resolved', () => {
+    assert.throws(() => assertWithinTrustedRoot(path.join(root, 'x'), null, 'repair'), /no trusted install root/);
+  });
+
+  test('refuses a missing destination path', () => {
+    assert.throws(() => assertWithinTrustedRoot('', root, 'repair'), /missing destination path/);
+  });
+} finally {
+  fs.rmSync(root, { recursive: true, force: true });
+  fs.rmSync(outside, { recursive: true, force: true });
+}
+
+console.log(`\nResults: Passed: ${passed}, Failed: ${failed}`);
+if (failed > 0) {
+  process.exit(1);
+}