fix: add input validation, date range checks, and security hardening

- validate-agents.js: reject invalid model names in agent frontmatter - package-manager.js: validate script/binary names against shell injection - session-manager.js: reject impossible month/day values in filenames - utils.js: support options.all for replaceInFile string patterns - strategic-compact/SKILL.md: fix hook matcher syntax and script reference - install.sh: warn when overwriting existing rule customizations - Add 24 new tests covering all validation and edge cases
2026-03-30 13:43:26 +08:00 · 2026-02-12 17:32:04 -08:00
parent 35aed05903
commit 926eba97c5
10 changed files with 312 additions and 10 deletions
--- a/install.sh
+++ b/install.sh
@@ -70,6 +70,12 @@ fi
 if [[ "$TARGET" == "claude" ]]; then
    DEST_DIR="${CLAUDE_RULES_DIR:-$HOME/.claude/rules}"

+    # Warn if destination already exists (user may have local customizations)
+    if [[ -d "$DEST_DIR" ]] && [[ "$(ls -A "$DEST_DIR" 2>/dev/null)" ]]; then
+        echo "Note: $DEST_DIR/ already exists. Existing files will be overwritten."
+        echo "      Back up any local customizations before proceeding."
+    fi
+
    # Always install common rules
    echo "Installing common rules -> $DEST_DIR/common/"
    mkdir -p "$DEST_DIR/common"