@agentrules/cli 0.3.1 → 0.3.2

package/dist/index.js

@@ -35,6 +35,11 @@ const RULE_TYPE_TUPLE = [
 
 //#endregion
 //#region ../core/src/platform/config.ts
+/**
+* Placeholder for user's home directory in path templates.
+* Consumers (e.g., CLI) are responsible for expanding this at runtime.
+*/
+const USER_HOME_DIR_PLACEHOLDER = "{userHomeDir}";
 const PLATFORM_IDS = PLATFORM_ID_TUPLE;
 /**
 * Platform configuration including supported types and install paths.
@@ -43,7 +48,7 @@ const PLATFORMS = {
 	opencode: {
 		label: "OpenCode",
 		platformDir: ".opencode",
-		globalDir: "~/.config/opencode",
+		globalDir: "{userHomeDir}/.config/opencode",
 		types: {
 			instruction: {
 				description: "Project instructions",
@@ -75,7 +80,7 @@ const PLATFORMS = {
 	claude: {
 		label: "Claude Code",
 		platformDir: ".claude",
-		globalDir: "~/.claude",
+		globalDir: "{userHomeDir}/.claude",
 		types: {
 			instruction: {
 				description: "Project instructions",
@@ -102,7 +107,7 @@ const PLATFORMS = {
 	cursor: {
 		label: "Cursor",
 		platformDir: ".cursor",
-		globalDir: "~/.cursor",
+		globalDir: "{userHomeDir}/.cursor",
 		types: {
 			instruction: {
 				description: "Project instructions",
@@ -129,7 +134,7 @@ const PLATFORMS = {
 	codex: {
 		label: "Codex",
 		platformDir: ".codex",
-		globalDir: "~/.codex",
+		globalDir: "{userHomeDir}/.codex",
 		types: {
 			instruction: {
 				description: "Project instructions",
@@ -183,7 +188,7 @@ function getInstallPath({ platform, type, name, scope = "project" }) {
 * Returns the path relative to the platform's root directory.
 *
 * Example: For codex instruction with scope="global", returns "AGENTS.md"
-* (not "~/.codex/AGENTS.md")
+* (not the full path with {userHomeDir})
 */
 function getRelativeInstallPath({ platform, type, name, scope = "project" }) {
 	const typeConfig = getTypeConfig(platform, type);
@@ -3505,6 +3510,21 @@ const COMMON_LICENSES = [
 ];
 const licenseSchema = string().trim().min(1, "License is required").max(128, "License must be 128 characters or less");
 const pathSchema = string().trim().min(1);
+/**
+* Validate a bundle file path for security.
+* Rejects paths that could escape the install directory.
+*
+* @returns true if path is safe, false otherwise
+*/
+function isValidBundlePath(path$1) {
+	if (path$1.includes("..")) return false;
+	if (path$1.startsWith("/")) return false;
+	if (path$1.startsWith("~")) return false;
+	if (path$1.includes("/~/") || path$1.includes("\\~\\")) return false;
+	if (path$1.includes("{userHomeDir}")) return false;
+	return true;
+}
+const bundlePathSchema = string().min(1).refine(isValidBundlePath, { message: "Path must be relative without traversal (no .., ~, absolute paths, or {userHomeDir})" });
 const ignorePatternSchema = string().trim().min(1, "Ignore pattern cannot be empty");
 const ignoreSchema = array(ignorePatternSchema).max(50, "Maximum 50 ignore patterns allowed");
 /**
@@ -3549,7 +3569,7 @@ const ruleConfigSchema = object({
 	platforms: array(platformEntrySchema).min(1, "At least one platform is required")
 }).strict();
 const bundledFileSchema = object({
-	path: string().min(1),
+	path: bundlePathSchema,
 	size: number().int().nonnegative(),
 	checksum: string().length(64),
 	content: string()
@@ -5611,7 +5631,7 @@ function resolveInstallTarget(platform, type, name, options) {
 	const { platformDir, globalDir } = PLATFORMS[platform];
 	if (options.global) {
 		if (!globalDir) throw new Error(`Platform "${platform}" does not support global installation`);
-		const globalRoot = resolve(expandHome(globalDir));
+		const globalRoot = resolve(expandUserHomeDir(globalDir));
 		return {
 			root: globalRoot,
 			mode: "global",
@@ -5623,7 +5643,7 @@ function resolveInstallTarget(platform, type, name, options) {
 			label: `global path ${globalRoot}`
 		};
 	}
-	const projectRoot = options.directory ? resolve(expandHome(options.directory)) : process.cwd();
+	const projectRoot = options.directory ? resolve(expandUserHomeDir(options.directory)) : process.cwd();
 	const label = options.directory ? `directory ${projectRoot}` : `project root ${projectRoot}`;
 	return {
 		root: projectRoot,
@@ -5723,15 +5743,20 @@ function ensureWithinRoot(candidate, root) {
 	if (candidate === root) return;
 	if (!candidate.startsWith(normalizedRoot)) throw new Error(`Refusing to write outside of ${root}. Derived path: ${candidate}`);
 }
-function expandHome(value) {
-	if (value.startsWith("~")) {
-		const remainder = value.slice(1);
-		const home = process.env.HOME || process.env.USERPROFILE || homedir();
+/**
+* Expand home directory references in a path string.
+* Handles both {userHomeDir} placeholder and ~ prefix.
+*/
+function expandUserHomeDir(path$1) {
+	const home = process.env.HOME || homedir();
+	if (path$1.includes(USER_HOME_DIR_PLACEHOLDER)) return path$1.replace(USER_HOME_DIR_PLACEHOLDER, home);
+	if (path$1.startsWith("~")) {
+		const remainder = path$1.slice(1);
 		if (!remainder) return home;
 		if (remainder.startsWith("/") || remainder.startsWith("\\")) return `${home}${remainder}`;
 		return `${home}/${remainder}`;
 	}
-	return value;
+	return path$1;
 }
 
 //#endregion

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentrules/cli",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "author": "Brian Cheung <bcheung.dev@gmail.com> (https://github.com/bcheung)",
   "license": "MIT",
   "homepage": "https://agentrules.directory",
@@ -53,7 +53,7 @@
     "clean": "rm -rf node_modules dist .turbo"
   },
   "dependencies": {
-    "@agentrules/core": "0.3.0",
+    "@agentrules/core": "0.3.1",
     "@clack/prompts": "^0.11.0",
     "chalk": "^5.4.1",
     "commander": "^12.1.0",