@runa-ai/runa-cli 0.5.28 → 0.5.31

package/dist/internal/vuln-checker/analyzers/secret-analyzer.d.ts

@@ -4,6 +4,11 @@
  * Purpose: Detect hardcoded secrets, API keys, tokens, and credentials
  * Philosophy: Pattern-based detection with entropy analysis
  *
+ * Security (Issue #463):
+ * - All regex patterns are designed to avoid ReDoS (catastrophic backtracking)
+ * - Input size limits prevent resource exhaustion
+ * - Patterns avoid nested quantifiers and complex backreferences
+ *
  * Detects:
  * - API keys (AWS, Google, Stripe, GitHub, etc.)
  * - Private keys (RSA, SSH)

package/dist/internal/vuln-checker/analyzers/secret-analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secret-analyzer.d.ts","sourceRoot":"","sources":["../../../../src/internal/vuln-checker/analyzers/secret-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAKH,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAoB,MAAM,aAAa,CAAC;AAu9BlG;;GAEG;AACH,qBAAa,cAAe,YAAW,QAAQ;IAC7C,IAAI,SAAoB;IACxB,UAAU,EAAE,QAAQ,EAAE,CAAc;IAE9B,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAkB7C,cAAc;IAY5B,OAAO,CAAC,UAAU;CAGnB"}
+{"version":3,"file":"secret-analyzer.d.ts","sourceRoot":"","sources":["../../../../src/internal/vuln-checker/analyzers/secret-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAKH,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAoB,MAAM,aAAa,CAAC;AAgiClG;;GAEG;AACH,qBAAa,cAAe,YAAW,QAAQ;IAC7C,IAAI,SAAoB;IACxB,UAAU,EAAE,QAAQ,EAAE,CAAc;IAE9B,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAkB7C,cAAc;IAY5B,OAAO,CAAC,UAAU;CAGnB"}

package/dist/internal/vuln-checker/config/loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../../src/internal/vuln-checker/config/loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEjE;;GAEG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAkBhG;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CA6B5F"}
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../../src/internal/vuln-checker/config/loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEjE;;GAEG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAmBhG;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CA8B5F"}

package/dist/utils/config-updater.d.ts

@@ -4,6 +4,11 @@
  * Purpose: Update runa.config.ts with detected values (e.g., Vercel root directory)
  * Design: Uses regex replacement to preserve existing config structure
  *
+ * Security:
+ * - Directory paths are validated to prevent injection attacks
+ * - Version strings are validated against semver pattern
+ * - Special characters are escaped in replacement strings
+ *
  * Usage:
  *   await updateRunaConfigAppDirectory('apps/dashboard');
  */

package/dist/utils/config-updater.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-updater.d.ts","sourceRoot":"","sources":["../../src/utils/config-updater.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH;;;;;;GAMG;AACH,wBAAgB,4BAA4B,CAC1C,YAAY,EAAE,MAAM,EACpB,SAAS,GAAE,MAAsB,GAChC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAsCtC;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,MAAM,GAAG,IAAI,GACjC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAW5D;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,MAAsB,GAChC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAgDtC"}
+{"version":3,"file":"config-updater.d.ts","sourceRoot":"","sources":["../../src/utils/config-updater.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAoEH;;;;;;GAMG;AACH,wBAAgB,4BAA4B,CAC1C,YAAY,EAAE,MAAM,EACpB,SAAS,GAAE,MAAsB,GAChC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CA6CtC;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,MAAM,GAAG,IAAI,GACjC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAW5D;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,MAAsB,GAChC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CA2DtC"}

package/dist/utils/github-output-security.d.ts

@@ -0,0 +1,36 @@
+/**
+ * AI HINT: GitHub Actions Output Security
+ *
+ * Purpose: Secure validation of GITHUB_OUTPUT file writes
+ * Security:
+ * - Validates GITHUB_OUTPUT path is within safe directories (Issue #457)
+ * - Prevents path traversal attacks via symlink resolution
+ * - Blocks writes to sensitive system paths
+ *
+ * GITHUB_OUTPUT in GitHub Actions:
+ * - Set to a file in runner's temp directory (e.g., /home/runner/work/_temp/_runner_file_commands/set_output_*)
+ * - Used to pass step outputs via `echo "key=value" >> $GITHUB_OUTPUT`
+ */
+/**
+ * Validate that a path is safe for writing GitHub Actions output.
+ *
+ * SECURITY (Issue #457): Prevents injection attacks via GITHUB_OUTPUT.
+ *
+ * @param filePath - The file path to validate
+ * @returns Object with validation result and resolved path
+ */
+export declare function validateGitHubOutputPath(filePath: string): Promise<{
+    valid: boolean;
+    resolvedPath: string | null;
+    error?: string;
+}>;
+/**
+ * Securely write to GITHUB_OUTPUT file.
+ *
+ * SECURITY (Issue #457): Validates the output path before writing.
+ *
+ * @param values - Key-value pairs to write
+ * @throws CLIError if GITHUB_OUTPUT is not set or path is invalid
+ */
+export declare function writeGitHubOutputSecure(values: Record<string, string>): Promise<void>;
+//# sourceMappingURL=github-output-security.d.ts.map

package/dist/utils/github-output-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-output-security.d.ts","sourceRoot":"","sources":["../../src/utils/github-output-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AA0CH;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IACxE,KAAK,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CAyED;AAED;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAiC3F"}

package/dist/utils/path-security.d.ts

@@ -0,0 +1,98 @@
+/**
+ * AI HINT: Path Security Utility
+ *
+ * Purpose: Prevent path traversal attacks in file operations
+ * Security: Validates paths don't escape intended directories
+ *
+ * Pattern:
+ * 1. Normalize paths to remove .. sequences
+ * 2. Resolve to absolute paths
+ * 3. Verify resolved path is within allowed base directory
+ * 4. Reject paths containing dangerous characters
+ *
+ * @see Issue #453 - Path traversal in seed management file operations
+ * @see Issue #462 - Path traversal in config and environment file loading
+ */
+/**
+ * Validate that a path doesn't contain dangerous characters.
+ * Checks for control characters and shell metacharacters.
+ *
+ * @param userPath - The path to validate
+ * @returns true if safe, false if contains dangerous characters
+ */
+export declare function hasNoDangerousChars(userPath: string): boolean;
+/**
+ * Check if a path contains path traversal sequences.
+ *
+ * @param userPath - The path to check
+ * @returns true if contains traversal, false otherwise
+ */
+export declare function containsPathTraversal(userPath: string): boolean;
+/**
+ * Validate that a user-provided path is safe to use within a base directory.
+ *
+ * Security checks:
+ * 1. Path doesn't contain dangerous characters
+ * 2. Path doesn't contain path traversal sequences (../)
+ * 3. Resolved path is within the base directory
+ *
+ * @param userPath - The user-provided path (relative)
+ * @param baseDir - The base directory the path should be within
+ * @returns true if path is safe, false otherwise
+ */
+export declare function validateSafePath(userPath: string, baseDir: string): boolean;
+/**
+ * Safely resolve a user path within a base directory.
+ * Throws if the path would escape the base directory.
+ *
+ * @param baseDir - The base directory
+ * @param userPath - The user-provided relative path
+ * @returns The resolved absolute path
+ * @throws Error if path validation fails
+ */
+export declare function resolveSafePath(baseDir: string, userPath: string): string;
+/**
+ * Validate a list of paths and return only the safe ones.
+ * Logs warnings for rejected paths.
+ *
+ * @param paths - Array of paths to validate
+ * @param baseDir - The base directory paths should be within
+ * @param logger - Optional logger for warnings
+ * @returns Array of safe paths
+ */
+export declare function filterSafePaths(paths: string[], baseDir: string, logger?: {
+    warn: (msg: string) => void;
+}): string[];
+/**
+ * SECURITY (Issue #462): Maximum depth for directory traversal operations.
+ * Prevents infinite loops and limits resource consumption.
+ */
+export declare const MAX_DIRECTORY_TRAVERSAL_DEPTH = 10;
+/**
+ * SECURITY (Issue #462): Validate an environment file suffix.
+ * Ensures the suffix doesn't contain path traversal sequences.
+ *
+ * @param suffix - The suffix to validate (e.g., "development", "preview")
+ * @throws Error if suffix contains invalid characters
+ */
+export declare function validateEnvSuffix(suffix: string): void;
+/**
+ * SECURITY (Issue #462): Build a safe environment file path.
+ * Validates the environment name before constructing the path.
+ *
+ * @param projectRoot - Project root directory
+ * @param envName - Environment name (e.g., "development", "preview")
+ * @param local - Whether to append ".local" suffix
+ * @returns Safe path to the environment file
+ */
+export declare function buildSafeEnvFilePath(projectRoot: string, envName: string, local?: boolean): string;
+/**
+ * SECURITY (Issue #462): Verify a path is contained within a base directory.
+ * Prevents escaping the intended directory via path manipulation.
+ *
+ * @param basePath - The expected parent directory
+ * @param targetPath - The path to verify
+ * @returns true if targetPath is within basePath
+ */
+export declare function isPathContained(basePath: string, targetPath: string): boolean;
+//# sourceMappingURL=path-security.d.ts.map

package/dist/utils/path-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-security.d.ts","sourceRoot":"","sources":["../../src/utils/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAiBH;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAc7D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAW/D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CA6B3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CASzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE;IAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvC,MAAM,EAAE,CAQV;AAMD;;;GAGG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,UAAQ,GAAG,MAAM,CAahG;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAI7E"}

package/dist/utils/secure-exec.d.ts

@@ -2,15 +2,21 @@
  * AI HINT: Secure Binary Execution Utility
  *
  * Purpose: Prevent PATH manipulation attacks by resolving and validating binary paths
- * Security: Resolves binary paths once, caches results, validates before execution
+ * Security:
+ * - Only allows binaries from trusted directories (Issue #459)
+ * - Caches results with PATH change detection
+ * - Validates binary exists and is executable before use
+ * - Uses shell: false for all executions
  *
  * Pattern:
- * 1. Resolve binary path using `which` command (or platform equivalent)
- * 2. Cache resolved paths for performance
- * 3. Validate binary exists and is executable before use
- * 4. Use absolute path in execa calls
+ * 1. Resolve binary path by searching trusted directories
+ * 2. Cache resolved paths with PATH fingerprint for invalidation
+ * 3. Validate the path is in a trusted directory
+ * 4. Validate binary exists and is executable before use
+ * 5. Use absolute path in execa calls with shell: false
  *
  * @see Issue #380 - User-controlled path binary execution vulnerability
+ * @see Issue #459 - PATH injection attack mitigation
  */
 import { type Options as ExecaOptions, type ResultPromise } from 'execa';
 /**
@@ -27,11 +33,12 @@ export declare function clearBinaryPathCache(): void;
 /**
  * Resolve a binary name to its absolute path.
  *
- * SECURITY:
+ * SECURITY (Issue #459):
  * - Only resolves binaries in the TRUSTED_BINARIES list
- * - Uses PATH environment variable for resolution
+ * - Only searches in TRUSTED_DIRECTORIES
  * - Validates the resolved path is executable
- * - Caches results with TTL to prevent repeated lookups
+ * - Caches results with TTL and PATH fingerprint for invalidation
+ * - Re-validates cached paths are still executable
  *
  * @throws Error if binary is not trusted or not found
  */
@@ -43,11 +50,11 @@ export declare function isBinaryAvailable(binaryName: string): boolean;
 /**
  * Execute a trusted binary with resolved absolute path.
  *
- * SECURITY: This function:
+ * SECURITY (Issue #459): This function:
  * 1. Validates the binary is in the trusted list
- * 2. Resolves the absolute path (not relying on shell PATH)
+ * 2. Resolves the absolute path from trusted directories only
  * 3. Validates the path is executable
- * 4. Passes the absolute path to execa
+ * 4. Passes the absolute path to execa with shell: false
  *
  * @param binaryName - Name of the trusted binary to execute
  * @param args - Arguments to pass to the binary
@@ -59,7 +66,10 @@ export declare function secureExeca(binaryName: TrustedBinary, args?: readonly s
  * Execute a command relative to node_modules/.bin
  * This is for locally installed packages.
  *
- * SECURITY: Only executes from the project's node_modules/.bin directory.
+ * SECURITY (Issue #459):
+ * - Only executes from the project's node_modules/.bin directory
+ * - Validates the binary name to prevent path traversal
+ * - Uses shell: false
  */
 export declare function secureExecaLocal(binaryName: string, args?: readonly string[], options?: ExecaOptions & {
     cwd?: string;

package/dist/utils/secure-exec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secure-exec.d.ts","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,EAAE,KAAK,OAAO,IAAI,YAAY,EAAE,KAAK,aAAa,EAAS,MAAM,OAAO,CAAC;AAMhF;;;GAGG;AACH,eAAO,MAAM,gBAAgB,gIAenB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAgB9D;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+CD;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAuC5D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAO7D;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CACzB,UAAU,EAAE,aAAa,EACzB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAGf;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GAAG;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,aAAa,CAaf;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE7F;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE5F;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAEf;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F"}
+{"version":3,"file":"secure-exec.d.ts","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,OAAO,EAAE,KAAK,OAAO,IAAI,YAAY,EAAE,KAAK,aAAa,EAAS,MAAM,OAAO,CAAC;AAMhF;;;GAGG;AACH,eAAO,MAAM,gBAAgB,gIAenB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AA8D9D;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA0GD;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAyD5D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAO7D;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CACzB,UAAU,EAAE,aAAa,EACzB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAIf;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GAAG;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,aAAa,CAsBf;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE7F;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE5F;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAEf;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F"}

package/dist/utils/template-fetcher.d.ts

@@ -4,6 +4,17 @@
  * Purpose: Fetch templates from @r06-dev/runa-templates (GitHub Packages)
  * Used by: init.ts, upgrade.ts (Admin commands only)
  *
+ * Security:
+ * - Version parameter validated against path traversal attacks (Issue #460)
+ * - Cache paths verified to stay within cache base directory (Issue #460)
+ * - Workspace resolution limits traversal depth (MAX_WORKSPACE_TRAVERSAL_DEPTH)
+ * - Multiple workspace markers required (pnpm-workspace.yaml + package.json)
+ * - Path normalization prevents symlink attacks
+ * - Token scoping minimizes credential exposure
+ *
+ * @see Issue #450 - Workspace template path traversal vulnerability
+ * @see Issue #460 - Path traversal in template fetcher cache management
+ *
  * Authentication Flow:
  * ┌─────────────────────────────────────────────────────────────────┐
  * │ 1. Check workspace (runa-repo development)                      │

package/dist/utils/template-fetcher.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"template-fetcher.d.ts","sourceRoot":"","sources":["../../src/utils/template-fetcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAcH,MAAM,WAAW,qBAAqB;IACpC,yEAAyE;IACzE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,8CAA8C;IAC9C,YAAY,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,MAAM,EAAE,OAAO,CAAC;CACjB;AA6MD;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,oBAAoB,CAAC,CAgF/B;AAkCD;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAKzD"}
+{"version":3,"file":"template-fetcher.d.ts","sourceRoot":"","sources":["../../src/utils/template-fetcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AAkEH,MAAM,WAAW,qBAAqB;IACpC,yEAAyE;IACzE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,8CAA8C;IAC9C,YAAY,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,MAAM,EAAE,OAAO,CAAC;CACjB;AA0OD;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,oBAAoB,CAAC,CAgF/B;AAmGD;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAKzD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runa-ai/runa-cli",
-  "version": "0.5.28",
+  "version": "0.5.31",
   "private": false,
   "description": "AI-powered DevOps CLI",
   "type": "module",
@@ -26,7 +26,7 @@
   },
   "dependencies": {
     "@dotenvx/dotenvx": "1.51.4",
-    "@runa-ai/runa": "^0.5.27",
+    "@runa-ai/runa": "^0.5.31",
     "@runa-ai/runa-xstate-test-plugin": "^0.5.28",
     "@types/node": "22.19.3",
     "boxen": "7.1.1",