fix: add input validation, date range checks, and security hardening

- validate-agents.js: reject invalid model names in agent frontmatter - package-manager.js: validate script/binary names against shell injection - session-manager.js: reject impossible month/day values in filenames - utils.js: support options.all for replaceInFile string patterns - strategic-compact/SKILL.md: fix hook matcher syntax and script reference - install.sh: warn when overwriting existing rule customizations - Add 24 new tests covering all validation and edge cases
2026-03-30 13:43:26 +08:00 · 2026-02-12 17:32:04 -08:00
parent 35aed05903
commit 926eba97c5
10 changed files with 312 additions and 10 deletions
--- a/scripts/lib/utils.js
+++ b/scripts/lib/utils.js
@@ -388,13 +388,26 @@ function getGitModifiedFiles(patterns = []) {

 /**
 * Replace text in a file (cross-platform sed alternative)
+ * @param {string} filePath - Path to the file
+ * @param {string|RegExp} search - Pattern to search for. String patterns replace
+ *   the FIRST occurrence only; use a RegExp with the `g` flag for global replacement.
+ * @param {string} replace - Replacement string
+ * @param {object} options - Options
+ * @param {boolean} options.all - When true and search is a string, replaces ALL
+ *   occurrences (uses String.replaceAll). Ignored for RegExp patterns.
+ * @returns {boolean} true if file was written, false on error
 */
-function replaceInFile(filePath, search, replace) {
+function replaceInFile(filePath, search, replace, options = {}) {
  const content = readFile(filePath);
  if (content === null) return false;

  try {
-    const newContent = content.replace(search, replace);
+    let newContent;
+    if (options.all && typeof search === 'string') {
+      newContent = content.replaceAll(search, replace);
+    } else {
+      newContent = content.replace(search, replace);
+    }
    writeFile(filePath, newContent);
    return true;
  } catch (err) {