create-lore 0.8.1 → 0.10.0

package/.gitattributes

@@ -0,0 +1,2 @@
+# Force LF line endings everywhere — prevents CRLF issues on Windows.
+* text=auto eol=lf

package/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @drewswiredin

package/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,24 @@
+---
+name: Bug report
+about: Something isn't working as expected
+labels: bug
+---
+
+**What happened?**
+
+A clear description of the bug.
+
+**Steps to reproduce**
+
+1. ...
+2. ...
+
+**Expected behavior**
+
+What should have happened instead.
+
+**Environment**
+
+- OS:
+- Node version:
+- create-lore version:

package/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an improvement or new capability
+labels: enhancement
+---
+
+**What problem does this solve?**
+
+Describe the use case or pain point.
+
+**Proposed solution**
+
+How you'd like it to work.
+
+**Alternatives considered**
+
+Any workarounds or other approaches you've tried.

package/.github/workflows/release.yml

@@ -0,0 +1,76 @@
+name: Release
+
+on:
+  push:
+    tags: ['v*']
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [18, 20]
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4  # checkout create-lore (this repo)
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4  # checkout lore template at matching tag
+        with:
+          repository: lorehq/lore
+          ref: ${{ github.ref_name }}
+          path: lore
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm test
+        env:
+          LORE_TEMPLATE: ${{ github.workspace }}/lore
+
+  verify-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Verify tag matches package.json version
+        run: |
+          tag="${GITHUB_REF#refs/tags/v}"
+          pkg="$(node -p "require('./package.json').version")"
+          if [[ "$tag" != "$pkg" ]]; then
+            echo "::error::Tag v$tag does not match package.json version $pkg"
+            exit 1
+          fi
+          echo "Tag v$tag matches package.json"
+      - name: Verify matching lore tag exists
+        run: |
+          tag="${GITHUB_REF#refs/tags/}"
+          if ! git ls-remote --tags https://github.com/lorehq/lore.git "refs/tags/$tag" | grep -q "$tag"; then
+            echo "::error::lorehq/lore does not have tag $tag — tag lore first"
+            exit 1
+          fi
+          echo "lorehq/lore has matching tag $tag"
+
+  publish:
+    needs: [test, verify-tag]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+      - name: Publish to npm
+        run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          tag="${GITHUB_REF#refs/tags/}"
+          gh release delete "$tag" --yes 2>/dev/null || true
+          gh release create "$tag" \
+            --title "$tag" \
+            --generate-notes

package/.github/workflows/test.yml

@@ -0,0 +1,55 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [18, 20]
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4  # checkout create-lore (this repo)
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4  # checkout lore template (used as LORE_TEMPLATE)
+        with:
+          repository: lorehq/lore
+          path: lore
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - name: Lint & format
+        run: npx eslint . && npx prettier --check .
+      - run: npm test
+        env:
+          LORE_TEMPLATE: ${{ github.workspace }}/lore
+
+  e2e:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          repository: lorehq/lore
+          path: lore
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+      - name: Scaffold a project and validate it
+        shell: bash
+        env:
+          LORE_TEMPLATE: ${{ github.workspace }}/lore
+        run: |
+          node bin/create-lore.js test-project
+          cd test-project
+          bash scripts/validate-consistency.sh

package/.prettierignore

@@ -0,0 +1 @@
+lore/

package/.prettierrc

@@ -0,0 +1,7 @@
+{
+  "singleQuote": true,
+  "semi": true,
+  "trailingComma": "all",
+  "printWidth": 120,
+  "tabWidth": 2
+}

package/CONTRIBUTING.md

@@ -0,0 +1,51 @@
+# Contributing to create-lore
+
+Thanks for your interest in contributing. `create-lore` is the CLI scaffolder for [Lore](https://github.com/lorehq/lore).
+
+## Dev Setup
+
+```bash
+git clone https://github.com/lorehq/create-lore.git
+cd create-lore
+```
+
+Requires **Node.js 18+**. Zero runtime dependencies.
+
+## Running Tests
+
+```bash
+npm test
+```
+
+Tests use `LORE_TEMPLATE` env var to point at a local lore repo instead of cloning from GitHub:
+
+```bash
+LORE_TEMPLATE=../lore npm test
+```
+
+## Pull Requests
+
+1. Fork the repo and create a branch from `main`
+2. Make your changes
+3. Run `npm test`
+4. Open a pull request
+
+## What We're Looking For
+
+- Bug fixes with clear reproduction steps
+- Better error messaging for common failure modes
+- Test coverage improvements
+
+## Guidelines
+
+- Keep changes focused — one concern per PR
+- Match existing code style
+- For framework changes (hooks, skills, lib), contribute to [lorehq/lore](https://github.com/lorehq/lore) instead
+
+## Reporting Issues
+
+Use [GitHub Issues](../../issues). For security vulnerabilities, see [SECURITY.md](SECURITY.md).
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the Apache-2.0 license.

package/README.md

@@ -1,45 +1,54 @@
 # create-lore
 
-Create a new [Lore](https://github.com/lorehq/lore) knowledge-persistent AI coding agent repo.
+Bootstrap a new [Lore](https://github.com/lorehq/lore) project — persistent memory for AI coding agents.
 
-## Usage
+## The Problem
 
-```bash
-npx create-lore myproject
-```
+AI coding agents (Claude Code, Cursor, OpenCode) forget everything between sessions. Every session you re-explain project structure, re-discover API quirks, and repeat lessons learned yesterday. Lore fixes that.
+
+## What Lore Does
 
-This creates `lore-myproject/` with the full Lore framework — hooks, skills, scripts, and operating instructions that teach your coding agent to learn and remember across sessions.
+Lore wraps your coding agent in a git-versioned knowledge base. Hooks fire automatically to reinforce knowledge capture as you work. Gotchas become skills, and every future session starts with what previous sessions learned. Complex work delegates to focused workers loaded with curated skills.
 
-## What you get
+- **Skills** — API quirks, auth gotchas, encoding tricks. Captured once, loaded forever.
+- **Knowledge docs** — Environment details, runbooks, architecture decisions. Accumulated across sessions.
+- **Work tracking** — Roadmaps, plans, and brainstorms that persist and appear in every session banner.
+- **Hooks** — Session init, capture reminders, memory protection. All automatic.
+- **Docs UI & Semantic Search** — Run `/lore-docker` to start a local Docker sidecar. Gives agents semantic search over the full knowledge base and opens a live MkDocs site for browsing it visually. Falls back to Grep/Glob without Docker.
+
+## Quick Start
+
+```bash
+npx create-lore my-project
+cd my-project
+git add -A && git commit -m "Init Lore"
+```
 
-- **Instructions** — Operating instructions loaded automatically by each platform
-- **Hooks** — Session init, memory guard, post-action capture reminders
-- **Skills** — `create-skill` and `create-agent` for building your knowledge base
-- **Scripts** — Registry generation, agent generation, consistency validation
+Then open the project in your agent. Hooks fire automatically.
 
-## Supported platforms
+## Supported Platforms
 
-- **Claude Code** — `hooks/` + `CLAUDE.md`
-- **Cursor** — `.cursor/hooks/` + `.cursorrules`
-- **OpenCode** — `.opencode/plugins/` + `opencode.json`
+| Platform    | Integration                                                           |
+| ----------- | --------------------------------------------------------------------- |
+| Claude Code | `.lore/hooks/` + `CLAUDE.md`                                          |
+| Cursor      | `.lore/hooks/` + `.cursor/hooks/` + `.cursor/mcp/` + `.cursor/rules/` |
+| OpenCode    | `.opencode/plugins/` + `opencode.json`                                |
 
 All platforms share the same knowledge base. No configuration needed.
 
 ## Options
 
 ```bash
-npx create-lore myproject       # creates ./lore-myproject/
-npx create-lore ./custom-path   # creates at specific path
+npx create-lore my-project       # creates ./my-project/
+npx create-lore ./custom-path    # creates at specific path
+npx create-lore --help           # show usage
+npx create-lore --version        # show version
 ```
 
-## After setup
-
-```bash
-cd lore-myproject
-git add -A && git commit -m "Init Lore"
-```
+## Requirements
 
-Then open the project in your agent. Hooks fire automatically and the self-learning loop begins.
+- Node.js 18+
+- git
 
 ## Docs
 

package/SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly:
+
+1. **Do not** open a public GitHub issue
+2. Email the maintainers or use [GitHub's private vulnerability reporting](../../security/advisories/new)
+3. Include steps to reproduce and potential impact
+
+We will acknowledge receipt within 48 hours and provide a timeline for a fix.
+
+## Scope
+
+`create-lore` is a CLI scaffolder that clones a template repo and initializes a new project. Security concerns are primarily:
+
+- Shell command execution during project scaffolding (`git clone`, `git init`)
+- Template integrity (clones from a pinned version tag on GitHub)
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| 0.10.x  | Yes       |

package/bin/create-lore.js

@@ -7,7 +7,7 @@
 // How it works:
 //   1. Clones the Lore template from GitHub (or copies from LORE_TEMPLATE env var)
 //   2. Strips the template's .git history
-//   3. Writes a .lore-config with the project name and creation date
+//   3. Writes .lore/config.json with the project name and creation date
 //   4. Runs git init for a clean start
 //
 // The LORE_TEMPLATE env var is used by tests to point at a local template
@@ -18,9 +18,25 @@ const fs = require('fs');
 const path = require('path');
 
 const REPO_URL = 'https://github.com/lorehq/lore.git';
+const pkg = require('../package.json');
 
 // -- Parse arguments --
-const name = process.argv[2];
+const arg = process.argv[2];
+if (arg === '--help' || arg === '-h') {
+  console.log(`create-lore v${pkg.version}\n`);
+  console.log('Usage: create-lore <name|path>\n');
+  console.log('Bootstrap a new Lore knowledge-persistent agent repo.\n');
+  console.log('Examples:');
+  console.log('  npx create-lore myproject       # creates ./myproject/');
+  console.log('  npx create-lore ./custom-path   # creates at specific path');
+  process.exit(0);
+}
+if (arg === '--version' || arg === '-v') {
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+const name = arg;
 if (!name) {
   console.error('Usage: create-lore <name>');
   process.exit(1);
@@ -31,6 +47,25 @@ if (!name) {
 const isPath = name.includes('/') || name.includes(path.sep);
 const targetDir = path.resolve(isPath ? name : `./${name}`);
 
+// Validate every segment of the resolved path's tail (the parts the user controls).
+// For simple names, validate the name directly. For paths, validate the basename.
+// This prevents shell-hostile characters like ; | & $ ` from sneaking through.
+const segmentPattern = /^[a-zA-Z0-9._-]+$/;
+const finalName = path.basename(targetDir);
+if (!segmentPattern.test(finalName)) {
+  console.error(`Error: Invalid project name '${finalName}'`);
+  console.error('Names may contain letters, numbers, dots, hyphens, and underscores.');
+  process.exit(1);
+}
+
+// Guard against path traversal — resolved target must be under cwd
+const cwd = process.cwd();
+if (!targetDir.startsWith(cwd + path.sep) && targetDir !== cwd) {
+  console.error(`Error: Target directory '${targetDir}' is outside the current working directory.`);
+  console.error('Use a relative name or path within the current directory.');
+  process.exit(1);
+}
+
 if (fs.existsSync(targetDir)) {
   console.error(`Error: ${targetDir} already exists`);
   process.exit(1);
@@ -45,25 +80,85 @@ try {
   if (templateDir) {
     fs.cpSync(templateDir, tmpDir, { recursive: true });
   } else {
-    execSync(`git clone --depth 1 ${REPO_URL} "${tmpDir}"`, { stdio: 'pipe' });
+    try {
+      execSync(`git clone --depth 1 --branch v${pkg.version} ${REPO_URL} "${tmpDir}"`, { stdio: 'pipe' });
+    } catch (err) {
+      const stderr = err.stderr ? err.stderr.toString() : '';
+      if (stderr.includes('not found') || stderr.includes('not a valid')) {
+        console.error(`Error: Version tag v${pkg.version} not found in ${REPO_URL}`);
+        console.error('This usually means the release tag is missing. Try:');
+        console.error('  npx create-lore@latest ' + name);
+      } else if (stderr.includes('Could not resolve host') || stderr.includes('unable to access')) {
+        console.error('Error: Cannot reach github.com');
+        console.error('Check your internet connection, DNS, and firewall/proxy settings.');
+      } else {
+        console.error('Error: Failed to clone template from GitHub');
+        console.error(stderr.trim() || err.message);
+      }
+      process.exit(1);
+    }
   }
   fs.rmSync(path.join(tmpDir, '.git'), { recursive: true, force: true });
+
+  // Only keep files needed in instances — remove everything else
+  const keep = new Set([
+    '.lore',
+    '.claude',
+    '.cursor',
+    '.opencode',
+    'docs',
+    'CLAUDE.md',
+    'opencode.json',
+    '.gitattributes',
+    '.gitignore',
+  ]);
+  for (const entry of fs.readdirSync(tmpDir)) {
+    if (!keep.has(entry)) {
+      fs.rmSync(path.join(tmpDir, entry), { recursive: true, force: true });
+    }
+  }
+
   fs.cpSync(tmpDir, targetDir, { recursive: true });
 } finally {
   // Always clean up the temp dir
   if (fs.existsSync(tmpDir)) fs.rmSync(tmpDir, { recursive: true });
 }
 
-// -- Write .lore-config --
+// -- Write .lore/config.json --
 const projectName = isPath ? path.basename(targetDir) : name;
-// Read version from the template's .lore-config so instances track their source version
-const templateConfig = JSON.parse(fs.readFileSync(path.join(targetDir, '.lore-config'), 'utf8'));
-const config = {
-  name: projectName,
-  version: templateConfig.version || '0.0.0',
-  created: new Date().toISOString().split('T')[0],
-};
-fs.writeFileSync(path.join(targetDir, '.lore-config'), JSON.stringify(config, null, 2) + '\n');
+// Read version from the copied config.json, then rewrite from template
+let templateConfig;
+try {
+  templateConfig = JSON.parse(fs.readFileSync(path.join(targetDir, '.lore', 'config.json'), 'utf8'));
+} catch {
+  templateConfig = {};
+}
+const templateVersion = templateConfig.version || '0.0.0';
+const createdDate = new Date().toISOString().split('T')[0];
+const configTemplate = fs.readFileSync(path.join(targetDir, '.lore', 'templates', 'config.json'), 'utf8');
+const configContent = configTemplate
+  .replace('{{name}}', projectName)
+  .replace('{{version}}', templateVersion)
+  .replace('{{created}}', createdDate);
+fs.writeFileSync(path.join(targetDir, '.lore', 'config.json'), configContent);
+
+// -- Create gitignored files from templates --
+// Templates are already in targetDir (copied from the template clone via .lore/).
+// These are normally recreated by ensureStickyFiles() each session, but the
+// installer should produce a complete instance from the start.
+const tplDir = path.join(targetDir, '.lore', 'templates');
+const localDir = path.join(targetDir, 'docs', 'knowledge', 'local');
+fs.mkdirSync(localDir, { recursive: true });
+
+fs.writeFileSync(path.join(localDir, 'index.md'), fs.readFileSync(path.join(tplDir, 'local-index.md'), 'utf8'));
+fs.writeFileSync(
+  path.join(localDir, 'operator-profile.md'),
+  fs.readFileSync(path.join(tplDir, 'operator-profile.md'), 'utf8'),
+);
+fs.writeFileSync(
+  path.join(targetDir, '.lore', 'memory.local.md'),
+  fs.readFileSync(path.join(tplDir, 'memory-local.md'), 'utf8'),
+);
 
 // -- Initialize git --
 execSync('git init -b main', { cwd: targetDir, stdio: 'pipe' });

package/eslint.config.js

@@ -0,0 +1,31 @@
+const prettier = require('eslint-config-prettier');
+
+module.exports = [
+  { ignores: ['lore/'] },
+  {
+    files: ['**/*.js'],
+    languageOptions: {
+      ecmaVersion: 2022,
+      sourceType: 'commonjs',
+      globals: {
+        console: 'readonly',
+        process: 'readonly',
+        require: 'readonly',
+        module: 'readonly',
+        __dirname: 'readonly',
+        __filename: 'readonly',
+        exports: 'readonly',
+        Buffer: 'readonly',
+      },
+    },
+    rules: {
+      'no-unused-vars': ['warn', { argsIgnorePattern: '^_' }],
+      'no-undef': 'error',
+      'no-constant-condition': 'warn',
+      eqeqeq: ['error', 'always'],
+      'no-var': 'error',
+      'prefer-const': 'warn',
+    },
+  },
+  prettier,
+];

package/package.json

@@ -1,16 +1,32 @@
 {
   "name": "create-lore",
-  "version": "0.8.1",
+  "version": "0.10.0",
   "description": "Create a new Lore knowledge-persistent agent repo",
   "bin": {
     "create-lore": "bin/create-lore.js"
   },
   "scripts": {
-    "test": "node --test test/create-lore.test.js"
+    "test": "node --test test/create-lore.test.js",
+    "lint": "eslint .",
+    "format:check": "prettier --check ."
   },
-  "keywords": ["lore", "agent", "ai", "knowledge"],
+  "keywords": [
+    "lore",
+    "agent",
+    "ai",
+    "knowledge"
+  ],
   "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/lorehq/create-lore"
+  },
   "engines": {
     "node": ">=18"
+  },
+  "devDependencies": {
+    "eslint": "^9.0.0",
+    "eslint-config-prettier": "^10.1.8",
+    "prettier": "^3.8.1"
   }
 }

package/test/create-lore.test.js

@@ -4,17 +4,26 @@
 
 const { describe, it, before, after } = require('node:test');
 const assert = require('node:assert/strict');
-const { execSync } = require('child_process');
+const { execSync, execFileSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 
 const BIN = path.resolve(__dirname, '../bin/create-lore.js');
-const TEMPLATE = path.resolve(__dirname, '../../lore'); // Sibling lore repo
+const TEMPLATE = process.env.LORE_TEMPLATE || path.resolve(__dirname, '../../lore');
 const OUTPUT = path.resolve(__dirname, '../test-output');
 
 // Run the installer with LORE_TEMPLATE pointing at the local template
 function run(args = '') {
-  return execSync(`node ${BIN} ${args}`, {
+  return execFileSync('node', [BIN, ...args.split(' ').filter(Boolean)], {
+    env: { ...process.env, LORE_TEMPLATE: TEMPLATE },
+    stdio: 'pipe',
+    encoding: 'utf8',
+  });
+}
+
+// Run with exact argv (no shell interpretation) — for testing shell metacharacters
+function runExact(name) {
+  return execFileSync('node', [BIN, name], {
     env: { ...process.env, LORE_TEMPLATE: TEMPLATE },
     stdio: 'pipe',
     encoding: 'utf8',
@@ -29,6 +38,18 @@ describe('create-lore', () => {
   before(cleanup);
   after(cleanup);
 
+  it('--help shows usage text', () => {
+    const output = run('--help');
+    assert.ok(output.includes('Usage:'), 'shows usage');
+    assert.ok(output.includes('create-lore'), 'mentions create-lore');
+  });
+
+  it('--version outputs package.json version', () => {
+    const output = run('--version');
+    const pkg = require('../package.json');
+    assert.equal(output.trim(), pkg.version);
+  });
+
   it('exits with error when no name given', () => {
     assert.throws(() => run(''), { status: 1 });
   });
@@ -38,8 +59,14 @@ describe('create-lore', () => {
 
     assert.ok(fs.existsSync(OUTPUT), 'output directory exists');
 
-    // .lore-config has required fields
-    const config = JSON.parse(fs.readFileSync(path.join(OUTPUT, '.lore-config'), 'utf8'));
+    // .lore/config.json has required fields (JSONC — strip comments before parsing)
+    const raw = fs.readFileSync(path.join(OUTPUT, '.lore', 'config.json'), 'utf8');
+    const config = JSON.parse(
+      raw
+        .replace(/^\s*\/\/.*$/gm, '')
+        .replace(/\/\*[\s\S]*?\*\//g, '')
+        .replace(/,(\s*[}\]])/g, '$1'),
+    );
     assert.ok(config.name, 'name present');
     assert.ok(config.created, 'created date present');
 
@@ -49,12 +76,51 @@ describe('create-lore', () => {
     assert.ok(entries.includes('HEAD'), '.git looks like a fresh init');
   });
 
+  it('strips dev-only files from scaffolded instance', () => {
+    cleanup();
+    run(OUTPUT);
+
+    const devOnly = [
+      'test',
+      '.github',
+      'node_modules',
+      'site',
+      'docs/assets',
+      'docs/javascripts',
+      'docs/stylesheets',
+      'CODE_OF_CONDUCT.md',
+      'CONTRIBUTING.md',
+      'SECURITY.md',
+      'LICENSE',
+      'README.md',
+      '.prettierrc',
+      '.prettierignore',
+      'eslint.config.js',
+      'package-lock.json',
+    ];
+    for (const name of devOnly) {
+      assert.ok(!fs.existsSync(path.join(OUTPUT, name)), `${name} should be stripped`);
+    }
+    cleanup();
+  });
+
   it('fails if target directory already exists', () => {
     fs.mkdirSync(OUTPUT, { recursive: true });
     assert.throws(() => run(OUTPUT), /already exists/);
     fs.rmSync(OUTPUT, { recursive: true });
   });
 
+  it('rejects names with shell metacharacters', () => {
+    assert.throws(() => runExact('foo;echo pwned'), /Invalid project name/);
+    assert.throws(() => runExact('foo$(cmd)'), /Invalid project name/);
+    assert.throws(() => runExact('foo|bar'), /Invalid project name/);
+  });
+
+  it('rejects path arguments with shell metacharacters in basename', () => {
+    assert.throws(() => runExact('./foo;rm'), /Invalid project name/);
+    assert.throws(() => runExact('/tmp/bad$(cmd)'), /Invalid project name/);
+  });
+
   // -- Template content tests --
   // These skip gracefully if the template hasn't reached that phase yet.
 
@@ -81,14 +147,16 @@ describe('create-lore', () => {
     if (!fs.existsSync(path.join(TEMPLATE, '.opencode/plugins'))) return;
 
     run(OUTPUT);
-    assert.ok(fs.existsSync(path.join(OUTPUT, '.opencode', 'plugins', 'session-init.js')),
-      'session-init.js copied');
-    assert.ok(fs.existsSync(path.join(OUTPUT, '.opencode', 'plugins', 'knowledge-tracker.js')),
-      'knowledge-tracker.js copied');
-    assert.ok(fs.existsSync(path.join(OUTPUT, '.opencode', 'plugins', 'protect-memory.js')),
-      'protect-memory.js copied');
-    assert.ok(fs.existsSync(path.join(OUTPUT, '.opencode', 'package.json')),
-      '.opencode/package.json copied');
+    assert.ok(fs.existsSync(path.join(OUTPUT, '.opencode', 'plugins', 'session-init.js')), 'session-init.js copied');
+    assert.ok(
+      fs.existsSync(path.join(OUTPUT, '.opencode', 'plugins', 'knowledge-tracker.js')),
+      'knowledge-tracker.js copied',
+    );
+    assert.ok(
+      fs.existsSync(path.join(OUTPUT, '.opencode', 'plugins', 'protect-memory.js')),
+      'protect-memory.js copied',
+    );
+    assert.ok(fs.existsSync(path.join(OUTPUT, '.opencode', 'package.json')), '.opencode/package.json copied');
     cleanup();
   });
 
@@ -103,10 +171,10 @@ describe('create-lore', () => {
   });
 
   it('passes validate-consistency.sh when template provides it', () => {
-    if (!fs.existsSync(path.join(TEMPLATE, 'scripts/validate-consistency.sh'))) return;
+    if (!fs.existsSync(path.join(TEMPLATE, '.lore/scripts/validate-consistency.sh'))) return;
 
     run(OUTPUT);
-    const result = execSync('bash scripts/validate-consistency.sh', {
+    const result = execSync('bash .lore/scripts/validate-consistency.sh', {
       cwd: OUTPUT,
       encoding: 'utf8',
       stdio: 'pipe',