@kuznai/inception-engine 0.2.0 → 0.2.4

package/README.md

@@ -153,7 +153,9 @@ If an agent isn't detected, its skills are skipped. Use `--agents` to override d
 
 ## Running with Privilege Escalation
 
-The tool works without elevated privileges. If run with `sudo` on POSIX systems, it resolves the real user's home directory via `SUDO_USER` so skills are deployed to the correct location (not `/root/`).
+The tool works without elevated privileges. If run with `sudo` on POSIX systems, it looks up the real user's home directory from the OS directory services (`getent passwd` on Linux, `dscl` on macOS, `/etc/passwd` as a universal fallback) so skills are deployed to the correct location regardless of where home directories are stored — standard `/home/<user>`, LDAP/NIS paths, enterprise layouts, or otherwise.
+
+If the real home cannot be determined, the tool exits with an error rather than silently deploying to a guessed path.
 
 On Windows, `os.homedir()` correctly resolves even in elevated PowerShell or cmd.
 

package/dist/config/manifest.js

@@ -36,9 +36,16 @@ function validateManifest(data, filePath) {
         if (typeof skill.name !== "string" || skill.name.length === 0) {
             throw new UserError(`${filePath}: skills[${i}].name must be a non-empty string`);
         }
+        const SAFE_NAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/;
+        if (!SAFE_NAME_RE.test(skill.name)) {
+            throw new UserError(`${filePath}: skills[${i}].name must contain only letters, digits, hyphens, underscores, and dots, and must not start with a dot`);
+        }
         if (typeof skill.path !== "string" || skill.path.length === 0) {
             throw new UserError(`${filePath}: skills[${i}].path must be a non-empty string`);
         }
+        if (path.isAbsolute(skill.path)) {
+            throw new UserError(`${filePath}: skills[${i}].path must be a relative path`);
+        }
         if (!Array.isArray(skill.agents) || skill.agents.length === 0) {
             throw new UserError(`${filePath}: skills[${i}].agents must be a non-empty array`);
         }

package/dist/core/deploy.js

@@ -2,11 +2,16 @@ import { existsSync, lstatSync, mkdirSync, rmSync, symlinkSync, cpSync, unlinkSy
 import path from "node:path";
 import { AGENT_REGISTRY } from "../config/agents.js";
 import { resolveAgentSkillPath, getDeployMethod } from "./resolve.js";
+import { UserError } from "../errors.js";
 export function planDeploy(manifest, sourceDir, detectedAgents, home) {
     const method = getDeployMethod();
     const actions = [];
+    const resolvedSourceDir = path.resolve(sourceDir);
     for (const skill of manifest.skills) {
         const source = path.resolve(sourceDir, skill.path);
+        if (source !== resolvedSourceDir && !source.startsWith(resolvedSourceDir + path.sep)) {
+            throw new UserError(`Skill path "${skill.path}" resolves outside the repository root: ${source}`);
+        }
         for (const agentId of skill.agents) {
             if (!detectedAgents.includes(agentId))
                 continue;

package/dist/core/resolve.js

@@ -1,16 +1,65 @@
+import { execFileSync } from "node:child_process";
+import { readFileSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
+import { UserError } from "../errors.js";
 export function resolveHome() {
     if (process.platform === "win32") {
         return os.homedir();
     }
     const sudoUser = process.env["SUDO_USER"];
     if (sudoUser) {
-        const base = process.platform === "darwin" ? "/Users" : "/home";
-        return path.join(base, sudoUser);
+        return lookupHomeForUser(sudoUser);
     }
     return os.homedir();
 }
+function lookupHomeForUser(username) {
+    // Method 1: getent passwd (Linux/POSIX — handles LDAP, NIS, local via NSS)
+    if (process.platform !== "darwin") {
+        try {
+            const out = execFileSync("getent", ["passwd", username], {
+                encoding: "utf8",
+                stdio: ["ignore", "pipe", "ignore"],
+            }).trim();
+            const home = out.split(":")[5];
+            if (typeof home === "string" && home.startsWith("/"))
+                return home;
+        }
+        catch {
+            // getent unavailable or user not found — try next method
+        }
+    }
+    // Method 2: dscl (macOS directory services)
+    if (process.platform === "darwin") {
+        try {
+            const out = execFileSync("dscl", [".", "-read", `/Users/${username}`, "NFSHomeDirectory"], { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+            const home = out.replace(/^NFSHomeDirectory:\s*/, "").trim();
+            if (home.startsWith("/"))
+                return home;
+        }
+        catch {
+            // dscl unavailable or user record not found — try next method
+        }
+    }
+    // Method 3: parse /etc/passwd directly (universal POSIX fallback)
+    try {
+        const passwd = readFileSync("/etc/passwd", "utf8");
+        for (const line of passwd.split("\n")) {
+            const parts = line.split(":");
+            if (parts[0] === username) {
+                const home = parts[5];
+                if (typeof home === "string" && home.startsWith("/"))
+                    return home;
+            }
+        }
+    }
+    catch {
+        // /etc/passwd unavailable — fall through to error
+    }
+    throw new UserError(`Cannot determine home directory for user "${username}". ` +
+        `Tried getent, dscl, and /etc/passwd. ` +
+        `Run without sudo, or set HOME to the correct path before invoking with sudo.`);
+}
 export function getPlatformKey() {
     return process.platform === "win32" ? "windows" : "posix";
 }

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@kuznai/inception-engine",
-  "version": "0.2.0",
+  "version": "0.2.4",
   "description": "Deploy AI agent skills from a git repo to user home directories",
   "license": "MIT",
-  "author": "Damian Piatkowski",
+  "author": "Damian Piątkowski",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/KuzniAI/inception-engine.git"