claudecode-linter 2.1.148 → 2.1.150-patch.1

package/dist/linters/settings-json.js

@@ -1,11 +1,13 @@
 import { basename } from "node:path";
-import { SETTINGS_USER_FIELDS, SETTINGS_PROJECT_FIELDS, TOOLS, PERMISSIONS_FIELDS, PERMISSION_MODES, SANDBOX_FIELDS, SANDBOX_NETWORK_FIELDS, SANDBOX_FILESYSTEM_FIELDS, } from "../contracts.js";
+import { SETTINGS_USER_FIELDS, TOOLS, PERMISSIONS_FIELDS, PERMISSION_MODES, SANDBOX_FIELDS, SANDBOX_NETWORK_FIELDS, SANDBOX_FILESYSTEM_FIELDS, } from "../contracts.js";
 import { formatAjvError, loadSettingsSchema, summarizeErrors, } from "../plugin-schema.js";
 import { isRuleEnabled, getRuleSeverity } from "../types.js";
 const RULES = [
     { id: "settings-json/valid-json", defaultSeverity: "error" },
     { id: "settings-json/schema-valid", defaultSeverity: "error" },
-    { id: "settings-json/scope-file-name", defaultSeverity: "error" },
+    // settings-json/scope-file-name removed in gitea#4 — .claude/settings.json
+    // is a valid project-shared settings source. See misplaced-file/* for
+    // wrong-path warnings.
     { id: "settings-json/scope-field", defaultSeverity: "warning" },
     { id: "settings-json/no-unknown-fields", defaultSeverity: "warning" },
     { id: "settings-json/permissions-object", defaultSeverity: "error" },
@@ -242,22 +244,47 @@ export const settingsJsonLinter = {
                 }
             }
         }
-        // Scope-aware: settings.json (non-local) should only be at user level
-        if (!isLocal && scope && scope !== "user") {
-            push(diag(config, filePath, "settings-json/scope-file-name", "error", `"settings.json" should only exist at user level (~/.claude/). Use "settings.local.json" for project-level settings`));
-        }
-        // Determine which fields are valid for this scope
-        const knownFields = (scope === "user" || !scope) ? SETTINGS_USER_FIELDS : SETTINGS_PROJECT_FIELDS;
-        // unknown/misplaced top-level fields
+        // gitea#4: `.claude/settings.json` is a first-class project settings source
+        // (`projectSettings`, committed/shared) distinct from `.claude/settings.local.json`
+        // (`localSettings`, gitignored). Claude Code's bundle defines both:
+        //   `case "projectSettings": return Rk.join(".claude","settings.json")`
+        //   `case "localSettings":   return "project, gitignored"`
+        // The rule no longer fires for plain project-level settings.json; the
+        // `misplaced-file/canonical-location` rule covers files at the wrong path.
+        // Determine which fields are valid for this scope. gitea#2: the legacy
+        // SETTINGS_PROJECT_FIELDS whitelist is too narrow — Claude Code accepts
+        // most user-level fields at project scope too. We now treat all known
+        // user fields as valid at project scope, except a small denylist of
+        // genuinely user-only fields (auth helpers, plugin enablement, dangerous
+        // mode), which still warn via `settings-json/scope-field`.
+        const knownFields = SETTINGS_USER_FIELDS;
+        // Fields that genuinely only take effect at user scope. Project-scope
+        // versions are silently ignored by Claude Code. Source: bundle inspection
+        // (auth helpers run from user creds; enabledPlugins / skip-permission
+        // flags can't be enabled by a checked-in repo for security reasons).
+        const USER_ONLY_FIELDS = new Set([
+            "apiKeyHelper",
+            "awsAuthRefresh",
+            "awsCredentialExport",
+            "gcpAuthRefresh",
+            "proxyAuthHelper",
+            "policyHelper",
+            "enabledPlugins",
+            "skipDangerousModePermissionPrompt",
+            "forceLoginMethod",
+            "forceLoginOrgUUID",
+        ]);
+        // unknown / misplaced top-level fields
         for (const key of Object.keys(parsed)) {
             if (!knownFields.has(key)) {
                 const p = findKeyPosition(content, key);
-                if (SETTINGS_USER_FIELDS.has(key) && scope && scope !== "user") {
-                    push(diag(config, filePath, "settings-json/scope-field", "warning", `"${key}" is a user-level field — it has no effect in project-level settings.local.json`, p?.line, p?.column));
-                }
-                else if (!SETTINGS_USER_FIELDS.has(key)) {
-                    push(diag(config, filePath, "settings-json/no-unknown-fields", "warning", `Unknown top-level field "${key}"`, p?.line, p?.column));
-                }
+                push(diag(config, filePath, "settings-json/no-unknown-fields", "warning", `Unknown top-level field "${key}"`, p?.line, p?.column));
+                continue;
+            }
+            // gitea#2: only the genuinely user-only denylist warns at project scope.
+            if (USER_ONLY_FIELDS.has(key) && scope && scope !== "user") {
+                const p = findKeyPosition(content, key);
+                push(diag(config, filePath, "settings-json/scope-field", "warning", `"${key}" only takes effect at user level (~/.claude/settings.json); it is ignored in project settings`, p?.line, p?.column));
             }
         }
         // Validate the sub-keys of a nested object against a known-field set and a

package/dist/linters/skill-md.js

@@ -1,5 +1,7 @@
+import { AGENT_MODELS, TOOLS } from "../contracts.js";
 import { formatAjvError, loadSkillFrontmatterSchema, summarizeErrors, } from "../plugin-schema.js";
 import { isRuleEnabled, getRuleSeverity } from "../types.js";
+import { invalidEffortReason } from "../utils/effort.js";
 import { parseFrontmatter } from "../utils/frontmatter.js";
 import { artifactLabel, classifyUnknownFrontmatterKey, } from "../utils/frontmatter-keys.js";
 import { isKebabCase } from "../utils/kebab-case.js";
@@ -13,6 +15,10 @@ const RULES = [
     { id: "skill-md/description-max-length", defaultSeverity: "error" },
     { id: "skill-md/description-no-angle-brackets", defaultSeverity: "error" },
     { id: "skill-md/description-trigger-phrases", defaultSeverity: "warning" },
+    { id: "skill-md/model-valid", defaultSeverity: "warning" },
+    { id: "skill-md/effort-valid", defaultSeverity: "warning" },
+    { id: "skill-md/allowed-tools-valid", defaultSeverity: "warning" },
+    { id: "skill-md/frontmatter-field-type", defaultSeverity: "warning" },
     { id: "skill-md/no-unknown-frontmatter", defaultSeverity: "info" },
     { id: "skill-md/body-word-count", defaultSeverity: "info" },
     { id: "skill-md/body-has-headers", defaultSeverity: "info" },
@@ -46,7 +52,13 @@ function hasTriggerSignal(desc) {
     // ("Trigger on …", "Trigger when/whenever/if …", "Triggers: …", "TRIGGER
     // when:") — not when "trigger" merely appears as a noun (e.g. the phrase
     // "no trigger phrases").
-    const triggerPhrases = /\btrigger(s)?\b\s*(on|when|whenever|if|upon|for)\b|\btriggers?\s*:|\buse (this skill |it )?(when|whenever|for|to|on|if)\b|\bshould be used (when|whenever|for|to|if)\b|\b(applies|invoke|reach for|call this|run this|use this) (when|whenever|if|to|for)\b|\bwhen (the user|you|asked|working|debugging|diagnosing|investigating|reviewing|writing|building|creating|editing|setting up|deploying|the task|a request|a question|you need|there|something|anything)\b|\bwhen [a-z]+ing\b|\bfor (debugging|diagnosing|tasks|requests|questions|when|any)\b/i;
+    // gitea#5: widened to accept more applicability phrasings observed in the
+    // wild — "Loaded automatically when …", "when a turn touches …",
+    // "applies to …", "for memory operations", "Memory protocol for the X
+    // MCP" (a noun-opener that names the domain). The runtime makes
+    // `description` optional, so this rule is advisory; aim for low false
+    // positive rate rather than complete coverage.
+    const triggerPhrases = /\btrigger(s)?\b\s*(on|when|whenever|if|upon|for)\b|\btriggers?\s*:|\buse (this skill |it )?(when|whenever|for|to|on|if)\b|\bshould be used (when|whenever|for|to|if)\b|\b(applies|invoke|reach for|call this|run this|use this|loaded|loads|reaches for|fires) (when|whenever|if|to|for|automatically|on)\b|\bwhen (the user|you|asked|working|debugging|diagnosing|investigating|reviewing|writing|building|creating|editing|setting up|deploying|the task|a request|a question|a message|a turn|the turn|the session|the conversation|the model|you need|there|something|anything)\b|\bwhen [a-z]+ing\b|\bfor (debugging|diagnosing|tasks|requests|questions|when|any|memory|recall|search|saves?|the )\b|\bprotocol for\b|\barchivist for\b|\bhandler for\b|\bauto(matic|-?)\s+(save|load|invocation)\b/i;
     if (triggerPhrases.test(d))
         return true;
     // First "sentence-ish" chunk — used to detect imperative / gerund openers.
@@ -151,6 +163,41 @@ export const skillMdLinter = {
                     "(e.g., \"Use when…\", \"Trigger on…\", \"when the user asks to…\", or an imperative verb)"));
             }
         }
+        // model — Zod types it as a permissive scalar; accept a named alias or a
+        // versioned claude-* model id. Mirrors agent-md/model-valid.
+        if ("model" in fm.data && typeof fm.data.model === "string") {
+            const model = fm.data.model;
+            if (!AGENT_MODELS.has(model) && !model.startsWith("claude-")) {
+                push(diag(config, filePath, "skill-md/model-valid", "warning", `"model" must be one of: ${[...AGENT_MODELS].join(", ")} or a versioned claude-* model ID (got "${model}")`));
+            }
+        }
+        // effort — Zod types it as a permissive scalar; the field's describe()
+        // string restricts it to a named level or an integer.
+        if ("effort" in fm.data) {
+            const reason = invalidEffortReason(fm.data.effort);
+            if (reason) {
+                push(diag(config, filePath, "skill-md/effort-valid", "warning", reason));
+            }
+        }
+        // allowed-tools — validate built-in tool names. mcp__* patterns are
+        // dynamic (resolved at runtime); accept them. Mirrors command-md.
+        if ("allowed-tools" in fm.data) {
+            const tools = fm.data["allowed-tools"];
+            if (Array.isArray(tools)) {
+                for (const t of tools) {
+                    if (typeof t === "string" && !t.startsWith("mcp__") && !TOOLS.has(t)) {
+                        push(diag(config, filePath, "skill-md/allowed-tools-valid", "warning", `Unknown tool "${t}" in allowed-tools`));
+                    }
+                }
+            }
+        }
+        // boolean fields — the Zod schema accepts the string "true"; only a real
+        // boolean behaves as expected.
+        for (const field of ["disable-model-invocation", "user-invocable"]) {
+            if (field in fm.data && typeof fm.data[field] !== "boolean") {
+                push(diag(config, filePath, "skill-md/frontmatter-field-type", "warning", `"${field}" must be a boolean (got ${JSON.stringify(fm.data[field])})`));
+            }
+        }
         // Frontmatter keys: only flag cross-artifact misplacement. A key that is
         // valid for a *different* markdown artifact (e.g. agent's "effort" on a
         // skill) gets an info; a key valid for no artifact stays silent.

package/dist/plugin-schema.js

@@ -8,11 +8,10 @@
  * resolver if the file is being run from an alternate layout (e.g. monorepo).
  */
 import { readFileSync } from "node:fs";
-import { dirname, resolve } from "node:path";
-import { fileURLToPath } from "node:url";
 import { Ajv2020 } from "ajv/dist/2020.js";
 // biome-ignore lint/style/useImportType: runtime import; types only.
 import * as addFormatsNs from "ajv-formats";
+import { assetCandidates } from "./utils/asset-path.js";
 // ajv-formats ships as CJS with a default function export. Under Node16
 // ESM resolution we have to reach in for `.default`.
 const addFormats = addFormatsNs.default;
@@ -26,36 +25,87 @@ function getAjv() {
     addFormats(ajvShared);
     return ajvShared;
 }
-function loadCompiledSchema(fileName) {
-    if (compiledCache.has(fileName))
-        return compiledCache.get(fileName) ?? null;
-    const here = dirname(fileURLToPath(import.meta.url));
+function tryReadFile(relPath) {
     const candidates = [
-        resolve(here, "..", "contracts", fileName),
-        resolve(here, "..", "..", "contracts", fileName),
+        ...assetCandidates(import.meta.url, ["..", ...relPath]),
+        ...assetCandidates(import.meta.url, ["..", "..", ...relPath]),
     ];
-    let raw = null;
     for (const p of candidates) {
         try {
-            raw = readFileSync(p, "utf8");
-            break;
+            return readFileSync(p, "utf8");
         }
         catch {
             // try next
         }
     }
+    return null;
+}
+/**
+ * Compile a schema document, handling both wrapper shapes:
+ *   - extracted (`{ extractedFromClaudeCodeVersion, schema: {...} }`)
+ *   - bare JSON Schema (the schemastore.org files, no envelope)
+ */
+function compileSchemaDoc(raw, sourceLabel) {
+    const parsed = JSON.parse(raw);
+    let schema;
+    let version;
+    if ("extractedFromClaudeCodeVersion" in parsed &&
+        typeof parsed.extractedFromClaudeCodeVersion === "string" &&
+        "schema" in parsed &&
+        typeof parsed.schema === "object" &&
+        parsed.schema !== null) {
+        schema = parsed.schema;
+        version = parsed.extractedFromClaudeCodeVersion;
+    }
+    else {
+        // Bare schemastore document. Strip `$id` (Ajv registers it globally
+        // and trips `$id already exists` on a second compile) and any
+        // `$schema` meta-pointer Ajv2020 can't resolve (draft-07 etc.).
+        const { $id: _id, $schema: _meta, ...rest } = parsed;
+        void _id;
+        void _meta;
+        schema = rest;
+        version = sourceLabel;
+    }
+    const propSrc = schema.properties ?? {};
+    return {
+        validate: getAjv().compile(schema),
+        extractedFromVersion: version,
+        knownFields: new Set(Object.keys(propSrc)),
+    };
+}
+function loadCompiledSchema(fileName) {
+    if (compiledCache.has(fileName))
+        return compiledCache.get(fileName) ?? null;
+    const raw = tryReadFile(["contracts", fileName]);
     if (!raw) {
         compiledCache.set(fileName, null);
         return null;
     }
-    const wrapped = JSON.parse(raw);
-    const compiled = {
-        validate: getAjv().compile(wrapped.schema),
-        extractedFromVersion: wrapped.extractedFromClaudeCodeVersion,
-    };
+    const compiled = compileSchemaDoc(raw, fileName);
     compiledCache.set(fileName, compiled);
     return compiled;
 }
+/**
+ * Load a schemastore.org-curated schema from `contracts/schemastore/`.
+ * Schemastore is preferred for top-level artifact validation because it's
+ * Anthropic's own published source of truth and stays stable across Claude
+ * Code minifier rotations. The Zod-extracted schemas (`loadCompiledSchema`)
+ * remain authoritative for sub-shapes schemastore doesn't enumerate.
+ */
+function loadSchemastoreSchema(fileName) {
+    const cacheKey = `schemastore/${fileName}`;
+    if (compiledCache.has(cacheKey))
+        return compiledCache.get(cacheKey) ?? null;
+    const raw = tryReadFile(["contracts", "schemastore", fileName]);
+    if (!raw) {
+        compiledCache.set(cacheKey, null);
+        return null;
+    }
+    const compiled = compileSchemaDoc(raw, `schemastore:${fileName}`);
+    compiledCache.set(cacheKey, compiled);
+    return compiled;
+}
 export function loadLspSchema() {
     return loadCompiledSchema("lsp.schema.json");
 }
@@ -63,8 +113,30 @@ export function loadMonitorsSchema() {
     return loadCompiledSchema("monitors.schema.json");
 }
 export function loadSettingsSchema() {
+    // gitea#6: prefer the Zod-extracted schema (runtime truth, e.g.
+    // `disableAutoMode` is `boolean` in 2.1.150) over schemastore (which
+    // still lists it as a string literal — out of date). Schemastore is
+    // only used for artifacts with no Zod source (marketplace, keybindings).
     return loadCompiledSchema("settings.schema.json");
 }
+/**
+ * Marketplace and keybindings schemas come exclusively from schemastore —
+ * there is no Zod source for them in the Claude Code bundle. Returns null
+ * if the user's install was shipped without the schemastore bundle (rare;
+ * the package.json includes them in `files`).
+ */
+export function loadMarketplaceSchema() {
+    return loadSchemastoreSchema("marketplace.schema.json");
+}
+export function loadKeybindingsSchema() {
+    return loadSchemastoreSchema("keybindings.schema.json");
+}
+export function loadMcpJsonSchema() {
+    return loadCompiledSchema("mcp.schema.json");
+}
+export function loadHooksJsonSchema() {
+    return loadCompiledSchema("hooks.schema.json");
+}
 export function loadSkillFrontmatterSchema() {
     return loadCompiledSchema("skill-frontmatter.schema.json");
 }
@@ -77,32 +149,17 @@ export function loadCommandFrontmatterSchema() {
 export function loadPluginSchema() {
     if (cached)
         return cached;
-    const here = dirname(fileURLToPath(import.meta.url));
-    const candidates = [
-        resolve(here, "..", "contracts", "plugin.schema.json"),
-        resolve(here, "..", "..", "contracts", "plugin.schema.json"),
-    ];
-    let raw = null;
-    for (const p of candidates) {
-        try {
-            raw = readFileSync(p, "utf8");
-            break;
-        }
-        catch {
-            // try next
-        }
-    }
+    // gitea#6: prefer the Zod-extracted plugin.schema.json (runtime truth);
+    // schemastore copy stays committed at `contracts/schemastore/` for
+    // reference and for the marketplace/keybindings artifacts only.
+    const raw = tryReadFile(["contracts", "plugin.schema.json"]);
     if (!raw)
         return null;
-    const wrapped = JSON.parse(raw);
-    const ajv = new Ajv2020({ allErrors: true, strict: false });
-    addFormats(ajv);
-    const validate = ajv.compile(wrapped.schema);
-    const knownFields = new Set(Object.keys(wrapped.schema.properties ?? {}));
+    const compiled = compileSchemaDoc(raw, "plugin.schema.json");
     cached = {
-        validate,
-        extractedFromVersion: wrapped.extractedFromClaudeCodeVersion,
-        knownFields,
+        validate: compiled.validate,
+        extractedFromVersion: compiled.extractedFromVersion,
+        knownFields: compiled.knownFields,
     };
     return cached;
 }

package/dist/utils/asset-path.js

@@ -0,0 +1,56 @@
+/**
+ * Resolve runtime assets (contracts/*.schema.json, .claudecode-lint.defaults.yaml,
+ * package.json) that ship alongside the package on disk.
+ *
+ * Normally these are found relative to `import.meta.url` — the location of the
+ * compiled `.js` file inside `dist/`. That works for the Node build and for the
+ * published npm package.
+ *
+ * Inside a `bun build --compile` single-executable, `import.meta.url` points
+ * into Bun's virtual embedded filesystem (`/$bunfs/...`), so disk reads of
+ * sibling assets fail. To support that variant, we ALSO emit candidates
+ * relative to `process.execPath` (the real on-disk path of the running
+ * executable). The compiled-binary image ships `contracts/` and
+ * `.claudecode-lint.defaults.yaml` next to the executable, so those fallback
+ * candidates resolve there.
+ *
+ * For the Node runtime, the `process.execPath`-relative candidates simply point
+ * at the `node` binary's directory and won't match — harmless extra lookups
+ * appended AFTER the existing ones, so Node resolution is byte-for-byte
+ * unchanged.
+ */
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+/**
+ * Build a list of candidate paths for an asset shipped with the package.
+ *
+ * @param importMetaUrl  `import.meta.url` of the calling module.
+ * @param segments       Path segments, relative to a base directory, that
+ *                        locate the asset (e.g. `["..", "contracts", "x.json"]`
+ *                        for a module under `dist/`).
+ * @returns Ordered candidate paths: `import.meta.url`-relative first (existing
+ *          behavior), then `process.execPath`-relative fallbacks.
+ */
+export function assetCandidates(importMetaUrl, segments) {
+    const candidates = [];
+    // 1. import.meta.url-relative — the existing, primary resolution.
+    const here = dirname(fileURLToPath(importMetaUrl));
+    candidates.push(resolve(here, ...segments));
+    // 2. process.execPath-relative fallbacks for the compiled single-executable.
+    //    The binary lives next to `contracts/` and the defaults YAML, so we try
+    //    both the executable's own directory and one level up (mirroring the
+    //    dist/ -> package-root step the segments encode).
+    try {
+        const execDir = dirname(process.execPath);
+        // Drop leading ".." segments: assets sit directly beside the executable.
+        const beside = segments.filter((s) => s !== "..");
+        candidates.push(resolve(execDir, ...beside));
+        candidates.push(resolve(execDir, ...segments));
+    }
+    catch {
+        // process.execPath unavailable — ignore.
+    }
+    // De-duplicate while preserving order.
+    return [...new Set(candidates)];
+}
+//# sourceMappingURL=asset-path.js.map

package/dist/utils/effort.js

@@ -0,0 +1,29 @@
+import { EFFORT_LEVELS } from "../contracts.js";
+/**
+ * Validate a frontmatter `effort` value against the Claude Code contract.
+ *
+ * Claude Code's frontmatter Zod schema types `effort` as a permissive scalar
+ * (`anyOf[string,number,boolean,null]`), but the field's own `.describe()`
+ * string in the bundle reads:
+ *   "Thinking effort for the model: `low`, `medium`, `high`, `max`, or an integer."
+ *
+ * So a valid `effort` is either one of the named levels (EFFORT_LEVELS) or an
+ * integer. Anything else — a non-integer number, a boolean, an unknown string,
+ * null — is reported. Returns a human-readable reason when invalid, or null
+ * when the value is acceptable.
+ */
+export function invalidEffortReason(value) {
+    const valid = [...EFFORT_LEVELS].join(", ");
+    if (typeof value === "string") {
+        if (EFFORT_LEVELS.has(value))
+            return null;
+        return `"effort" string must be one of: ${valid} (got "${value}")`;
+    }
+    if (typeof value === "number") {
+        if (Number.isInteger(value))
+            return null;
+        return `"effort" number must be an integer (got ${value})`;
+    }
+    return `"effort" must be one of: ${valid}, or an integer (got ${JSON.stringify(value)})`;
+}
+//# sourceMappingURL=effort.js.map

package/dist/utils/frontmatter-keys.js

@@ -1,9 +1,38 @@
 import { SKILL_FRONTMATTER, AGENT_FRONTMATTER, COMMAND_FRONTMATTER, } from "../contracts.js";
-const KEY_SETS = {
+import { loadSkillFrontmatterSchema, loadAgentFrontmatterSchema, loadCommandFrontmatterSchema, } from "../plugin-schema.js";
+// Census-extraction sets (scripts/extract-contracts.ts). Used only as a
+// fallback when the auto-extracted frontmatter schema is unavailable — the
+// census extractor lags the schema walker (e.g. it was missing `effort`).
+const CENSUS_FALLBACK = {
     skill: SKILL_FRONTMATTER,
     agent: AGENT_FRONTMATTER,
     command: COMMAND_FRONTMATTER,
 };
+const SCHEMA_LOADERS = {
+    skill: loadSkillFrontmatterSchema,
+    agent: loadAgentFrontmatterSchema,
+    command: loadCommandFrontmatterSchema,
+};
+const keyCache = new Map();
+/**
+ * Known frontmatter keys for an artifact — the union of the auto-extracted
+ * schema's property names (authoritative, complete, kept in sync with Claude
+ * Code's Zod) and the census-contract set. Union rather than schema-only so a
+ * key known to *either* extraction is never mis-flagged: `no-unknown-
+ * frontmatter` is advisory and a false positive is the only real harm.
+ */
+function knownKeys(kind) {
+    const cached = keyCache.get(kind);
+    if (cached)
+        return cached;
+    const merged = new Set(CENSUS_FALLBACK[kind]);
+    const schema = SCHEMA_LOADERS[kind]();
+    if (schema)
+        for (const k of schema.knownFields)
+            merged.add(k);
+    keyCache.set(kind, merged);
+    return merged;
+}
 const ARTIFACT_LABEL = {
     skill: "skill",
     agent: "agent",
@@ -18,13 +47,13 @@ const ARTIFACT_LABEL = {
  */
 export function classifyUnknownFrontmatterKey(key, self, extraKnown = new Set()) {
     // Known for the current artifact — not unknown at all.
-    if (KEY_SETS[self].has(key) || extraKnown.has(key))
+    if (knownKeys(self).has(key) || extraKnown.has(key))
         return null;
     // Valid for some *other* markdown artifact → misplacement.
     for (const kind of ["skill", "agent", "command"]) {
         if (kind === self)
             continue;
-        if (KEY_SETS[kind].has(key)) {
+        if (knownKeys(kind).has(key)) {
             return { kind: "owned-by-other", owner: kind };
         }
     }

package/dist/utils/frontmatter.js

@@ -32,7 +32,7 @@ export function parseFrontmatter(content) {
     const body = lines.slice(closingIndex + 1).join("\n");
     const bodyStartLine = closingIndex + 2; // 1-based
     try {
-        const data = parseYaml(frontmatterRaw);
+        const data = parseYaml(frontmatterRaw, { maxAliasCount: 100 });
         if (typeof data !== "object" || data === null || Array.isArray(data)) {
             return {
                 data: {},

package/dist/utils/safe-write.js

@@ -0,0 +1,36 @@
+import { lstatSync, realpathSync } from "node:fs";
+import { sep } from "node:path";
+/**
+ * Decide whether writing to `filePath` (a fix/format target) is safe.
+ *
+ * The linter may write fixes back to artifact paths supplied by a plugin.
+ * A malicious plugin can ship an artifact path that is actually a symlink
+ * pointing outside the target tree (`~/.bashrc`, an SSH key, a CI secret);
+ * a bare `writeFileSync` would then clobber the symlink's target.
+ *
+ * Returns a human-readable reason to REFUSE the write, or `null` if the
+ * write is safe. The check fails closed: if anything throws (path missing,
+ * permission error, etc.) a refusal reason is returned.
+ *
+ * Refuses when:
+ *  - `filePath` itself is a symbolic link, or
+ *  - the real path of `filePath` is not `rootDir` itself and not located
+ *    under `rootDir + path.sep`.
+ */
+export function writeBlockedReason(filePath, rootDir) {
+    try {
+        if (lstatSync(filePath).isSymbolicLink()) {
+            return "path is a symlink";
+        }
+        const realRoot = realpathSync(rootDir);
+        const realPath = realpathSync(filePath);
+        if (realPath !== realRoot && !realPath.startsWith(realRoot + sep)) {
+            return "path resolves outside the target directory";
+        }
+        return null;
+    }
+    catch {
+        return "path could not be safely resolved";
+    }
+}
+//# sourceMappingURL=safe-write.js.map

package/dist/utils/terminal.js

@@ -0,0 +1,18 @@
+/**
+ * Strip C0 control characters and DEL from a string before it is written to
+ * a terminal, while preserving tab and newline.
+ *
+ * Diagnostic messages, file paths and `--fix-dry-run` diffs embed untrusted
+ * strings (rule content, field values, file content, plugin-controlled file
+ * and directory names). Without sanitization an attacker-supplied artifact
+ * could smuggle ANSI/control sequences into the user's terminal.
+ *
+ * Strips U+0000-U+0008, U+000B-U+001F and U+007F (DEL) - every C0 control
+ * char and DEL except U+0009 (tab) and U+000A (newline), which are kept.
+ * The stripped set includes U+000D (CR) and U+001B (ESC) by design.
+ */
+export function sanitizeForTerminal(s) {
+    // eslint-disable-next-line no-control-regex
+    return s.replace(/[\u0000-\u0008\u000B-\u001F\u007F]/g, "");
+}
+//# sourceMappingURL=terminal.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "claudecode-linter",
-	"version": "2.1.148",
+	"version": "2.1.150-patch.1",
 	"description": "Standalone linter for Claude Code plugins and configuration files",
 	"type": "module",
 	"bin": {
@@ -17,8 +17,9 @@
 		"deps:update": "ncu -u",
 		"knip": "knip --exclude types",
 		"check-deps": "tsx scripts/check-deps.ts",
-		"extract-contracts": "tsx scripts/extract-contracts.ts && tsx scripts/extract-plugin-schema.ts",
+		"extract-contracts": "tsx scripts/extract-contracts.ts && tsx scripts/extract-plugin-schema.ts && tsx scripts/fetch-schemastore.ts",
 		"extract-plugin-schema": "tsx scripts/extract-plugin-schema.ts",
+		"fetch-schemastore": "tsx scripts/fetch-schemastore.ts",
 		"generate-contracts": "tsx scripts/generate-contracts.ts"
 	},
 	"files": [
@@ -30,6 +31,9 @@
 		"contracts/skill-frontmatter.schema.json",
 		"contracts/agent-frontmatter.schema.json",
 		"contracts/command-frontmatter.schema.json",
+		"contracts/mcp.schema.json",
+		"contracts/hooks.schema.json",
+		"contracts/schemastore/*.json",
 		".claudecode-lint.defaults.yaml",
 		"README.md"
 	],