codex-plugin-doctor 0.10.0 → 0.10.1

package/dist/core/fix-plan.js

@@ -4,6 +4,11 @@ import { validatePlugin } from "./validate-plugin.js";
 function relativeToTarget(targetPath, candidatePath) {
     return path.relative(targetPath, candidatePath).replace(/\\/g, "/");
 }
+function isPathWithinRoot(rootPath, candidatePath) {
+    const relativePath = path.relative(rootPath, candidatePath);
+    return (relativePath === "" ||
+        (!relativePath.startsWith("..") && !path.isAbsolute(relativePath)));
+}
 export async function buildFixPlan(targetPath) {
     const result = await validatePlugin(targetPath);
     const rootPath = result.targetPath;
@@ -38,6 +43,12 @@ export async function buildFixPlan(targetPath) {
         .catch(() => ({}));
     if (typeof manifest.skills === "string") {
         const skillsPath = path.resolve(rootPath, manifest.skills);
+        if (!isPathWithinRoot(rootPath, skillsPath)) {
+            return {
+                targetPath: rootPath,
+                actions
+            };
+        }
         if (await directoryExists(skillsPath)) {
             for (const entry of await readdir(skillsPath, { withFileTypes: true })) {
                 if (!entry.isDirectory()) {
@@ -70,6 +81,12 @@ export async function buildFixPlan(targetPath) {
     }
     if (typeof manifest.mcpServers === "string") {
         const mcpConfigPath = path.resolve(rootPath, manifest.mcpServers);
+        if (!isPathWithinRoot(rootPath, mcpConfigPath)) {
+            return {
+                targetPath: rootPath,
+                actions
+            };
+        }
         if (!(await fileExists(mcpConfigPath))) {
             actions.push({
                 id: "mcp.scaffold_config",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-plugin-doctor",
-  "version": "0.10.0",
+  "version": "0.10.1",
   "description": "CLI-first validator for Codex plugins, skills, and MCP package surfaces with runtime MCP protocol validation.",
   "type": "module",
   "main": "./dist/index.js",