fix: security, correctness & robustness sweep across lib/commands

[NagyVikt]

Summary

A bug-review sweep of src/lib and src/commands surfaced via 4 read-only audit agents, then verified individually against current main and covered by typecheck + tests. Every change is a defensive guard or a correctness fix with no behaviour change for legitimate inputs.

13 files, +131/−28. Independent review confirmed the 6 security/correctness fixes correct with no regressions.

Security

• pr-poster — writeFilesToWorktree now refuses paths that escape the worktree (../../.bashrc); the root + sep boundary also blocks the ${root}-evil sibling-prefix trick.
• scan-plugins — rejects an absolute or ..-containing manifest.skills from an untrusted plugin.json (was resolve(dir, manifest.skills) → arbitrary-dir scan).
• credentials-sync — OAuth creds written atomically (tmp + rename) so a crash/concurrent reader never sees a half-written credentials file.
• cwd-resolver — malformed repo-defaults.json is caught instead of throwing out of resolveProfileForCwd.

Correctness

• skill-dependencies — parseExplicitDeps now parses the YAML block-sequence requires_mcps: form, not only inline arrays. Block-form deps were silently dropped → MCP-dependency starvation. Exported + 7 unit tests.
• skill-linter — R008 slugifies anchor refs the same way headings are slugified, eliminating false-positive broken-link errors on headings with &/(/).

Robustness

• runtime-materializer — syncMcpsIntoClaudeJson no longer stub-rewrites .claude.json on a transient read error (EMFILE/EACCES); it rewrites only on ENOENT / parse error, preserving session/auth state.
• telemetry-ingest, shared-profiles — atomic tmp+rename writes (the latter's doc comment already claimed atomicity it didn't have).
• shared-profiles — profile fetch bounded by a 10s AbortSignal.timeout.
• status — homedir() fallback instead of the literal "~" (which join never expands).
• skills, init — handle non-zero subprocess exits instead of crashing the wizard / treating a failed install as success.

Test plan

• bun run typecheck — clean
• bun test on all touched suites — 226/226 pass, incl. 7 new skill-dependencies parser tests
• Independent read-only code review of the security/correctness changes — all CORRECT, no regressions
• CI green on this PR

Notes

Each fix was re-verified against current main (the audit originally ran on a stale branch). One audit finding — a pair-suggestions.ts typecheck break — was already fixed on main and is intentionally excluded. Three other audit findings were judged false-positives (inheritance depth-vs-width, an intentional cluster sort, a cosmetic regex) and intentionally not changed.

🤖 Generated with Claude Code