Fix CodeRabbit review issues: path traversal, URLs, docs, setup.sh

- Add path traversal validation in configApply() for source and
  destination paths in file-manifest.json
- Use default-assignment for CODEFORGE_DIR in deprecation guard
- Replace old GitHub Pages URLs with custom domain
  (codeforge.core-directive.com)
- Add .checksums/ and .markers/ to architecture docs tree
- Clarify "How to Reset" section in troubleshooting docs
- Fix "merged" → "migrated content from" in changelog wording

Author: AnExiledDev

.devcontainer/CHANGELOG.md

@@ -110,6 +110,11 @@
 - **`agent-system/README.md`** — updated `verify-no-regression.py` comment to list both consumers (implementer, refactorer); hyphenated "question-surfacing protocol"
 - **`orchestrator-system-prompt.md`** — clarified plan mode allows investigator delegation for research; added catch-all entry in selection criteria pointing to the full specialist catalog
 - **MD040 compliance** — added `text` language specifiers to 7 fenced code blocks across `investigator.md`, `tester.md`, and `documenter.md`
+- **`setup.js` path traversal** — `configApply()` now validates that source paths resolve within `.codeforge/` and destination paths resolve within allowed directories (`CLAUDE_CONFIG_DIR`, `HOME`, `/usr/local/`), preventing directory traversal via `../` in manifest entries
+- **`setup.sh` CODEFORGE_DIR** — deprecation guard now uses default-assignment semantics (`:=`) instead of unconditional overwrite, preserving any user-defined `CODEFORGE_DIR` from `.env`
+- **Docs site URLs** — replaced `anexileddev.github.io/CodeForge/` with custom domain `codeforge.core-directive.com/` across README.md, CLAUDE.md, and .devcontainer/README.md
+- **Architecture docs** — added `.checksums/` and `.markers/` directories to the `.codeforge/` tree in architecture.md
+- **Troubleshooting docs** — renamed "Reset to Defaults" to "How to Reset" and clarified that `--reset` preserves `.codeforge/` user modifications; added step for restoring default config sources
 
 ### Changed
 

.devcontainer/CLAUDE.md

@@ -201,4 +201,4 @@ Three mechanisms handle port access depending on your client:
 
 VS Code auto-detects all ports opened inside the container (configured via `portsAttributes` in `devcontainer.json`). Outside VS Code, `dbr` provides dynamic port discovery via a reverse connection model (container→host). The container daemon auto-starts and is inert without the host daemon (`dbr host-daemon`). Both mechanisms coexist. See [devcontainer-bridge](https://github.com/bradleybeddoes/devcontainer-bridge).
 
-For full setup instructions, see the [Port Forwarding reference](https://anexileddev.github.io/CodeForge/reference/port-forwarding/) in the docs.
+For full setup instructions, see the [Port Forwarding reference](https://codeforge.core-directive.com/reference/port-forwarding/) in the docs.

.devcontainer/README.md

@@ -432,7 +432,7 @@ The `setup-projects.sh` script auto-detects projects under `/workspaces/` and ma
 
 ## Troubleshooting
 
-Common issues and solutions. For detailed troubleshooting, see the [Troubleshooting](https://anexileddev.github.io/CodeForge/reference/troubleshooting/) page on the docs site.
+Common issues and solutions. For detailed troubleshooting, see the [Troubleshooting](https://codeforge.core-directive.com/reference/troubleshooting/) page on the docs site.
 
 | Problem | Solution |
 |---------|----------|
@@ -447,11 +447,11 @@ Common issues and solutions. For detailed troubleshooting, see the [Troubleshoot
 ## Further Reading
 
 **CodeForge Documentation**:
-- [Configuration Reference](https://anexileddev.github.io/CodeForge/customization/configuration/) — all env vars and config options
-- [Plugin System](https://anexileddev.github.io/CodeForge/plugins/) — plugin architecture and per-plugin docs
-- [Optional Features](https://anexileddev.github.io/CodeForge/customization/optional-features/) — mcp-qdrant and other optional components, disabling features
-- [Keybinding Customization](https://anexileddev.github.io/CodeForge/customization/keybindings/) — resolving VS Code conflicts
-- [Troubleshooting](https://anexileddev.github.io/CodeForge/reference/troubleshooting/) — common issues and solutions
+- [Configuration Reference](https://codeforge.core-directive.com/customization/configuration/) — all env vars and config options
+- [Plugin System](https://codeforge.core-directive.com/plugins/) — plugin architecture and per-plugin docs
+- [Optional Features](https://codeforge.core-directive.com/customization/optional-features/) — mcp-qdrant and other optional components, disabling features
+- [Keybinding Customization](https://codeforge.core-directive.com/customization/keybindings/) — resolving VS Code conflicts
+- [Troubleshooting](https://codeforge.core-directive.com/reference/troubleshooting/) — common issues and solutions
 
 **External**:
 - [Claude Code Documentation](https://docs.anthropic.com/en/docs/claude-code)

.devcontainer/scripts/setup.sh

@@ -46,7 +46,7 @@ fi
 if [ "$CONFIG_SOURCE_DIR" = "$DEVCONTAINER_DIR/config" ] || [ "$CONFIG_SOURCE_DIR" = "/workspaces/.devcontainer/config" ]; then
     echo "[setup] WARNING: CONFIG_SOURCE_DIR pointing to .devcontainer/config is deprecated (moved to .codeforge in v2.0)"
     echo "[setup]   Redirecting to .codeforge."
-    CODEFORGE_DIR="${WORKSPACE_ROOT:?}/.codeforge"
+    : "${CODEFORGE_DIR:=${WORKSPACE_ROOT:?}/.codeforge}"
     unset CONFIG_SOURCE_DIR
     if [ -f "$ENV_FILE" ]; then
         sed -i 's|^CONFIG_SOURCE_DIR=.*\.devcontainer/config.*|# CONFIG_SOURCE_DIR removed (v2.0: now uses .codeforge)|' "$ENV_FILE"

README.md

@@ -109,7 +109,7 @@ CodeForge operates in three layers, each building on the one below:
 
 **Claude Code** — The AI assistant, executing tools and coordinating work. CodeForge enhances it through configuration — replacing built-in subagents, adding safety guardrails, and wiring up quality checks that run automatically.
 
-For the full architecture breakdown — hook pipeline, agent routing, skill loading, and design principles — see the [Architecture Reference](https://anexileddev.github.io/CodeForge/reference/architecture/).
+For the full architecture breakdown — hook pipeline, agent routing, skill loading, and design principles — see the [Architecture Reference](https://codeforge.core-directive.com/reference/architecture/).
 
 ## Configuration
 
@@ -127,7 +127,7 @@ All configuration lives in `.devcontainer/` and deploys automatically on contain
 
 Config files use SHA-256 change detection — your edits persist across container rebuilds unless the source changes. Set a file's overwrite mode to `"never"` in `file-manifest.json` to permanently preserve your customizations.
 
-For the complete configuration guide, see the [documentation site](https://anexileddev.github.io/CodeForge/customization/configuration/).
+For the complete configuration guide, see the [documentation site](https://codeforge.core-directive.com/customization/configuration/).
 
 ## Quick Start
 

docs/src/content/docs/reference/architecture.md

@@ -171,6 +171,8 @@ CodeForge ships 38 skills across the skill-engine, spec-workflow, ticket-workflo
 |   +-- connect-external-terminal.sh   # External terminal connection (Linux/macOS)
 |   +-- connect-external-terminal.ps1  # External terminal connection (Windows)
 +-- .codeforge-preserve            # Lists additional files to preserve during updates
++-- .checksums/                    # File hashes for change detection (gitignored)
++-- .markers/                      # Migration state markers (gitignored)
 ```
 
 ## Design Principles

docs/src/content/docs/reference/troubleshooting.md

@@ -130,15 +130,17 @@ Any local feature can be disabled without removing it from `devcontainer.json` b
 - Subsequent starts skip unchanged config files (SHA-256 comparison).
 - Disable steps you don't need via `.env` (e.g., `SETUP_PROJECTS=false`). See [Environment Variables — Setup Variables](./environment/#setup-variables-env).
 
-## How to Reset to Defaults
+## How to Reset
 
-1. **Reset config files** — delete `~/.claude/` and restart the container. `setup-config.sh` will recopy all files from `.codeforge/config/`. Note that `--reset` preserves `.codeforge/` user modifications (only `.devcontainer/` is wiped).
+1. **Reset runtime config** — delete `~/.claude/` and restart the container. `setup-config.sh` will redeploy all files from `.codeforge/config/`. This resets the deployed copies but preserves your `.codeforge/` source files (user modifications remain intact).
 
-2. **Reset aliases** — delete the `# Claude Code environment and aliases` block from `~/.bashrc` and `~/.zshrc`, then run `bash /workspaces/.devcontainer/scripts/setup-aliases.sh`.
+2. **Restore default config sources** — run `git checkout .codeforge/config/` to discard any local edits to the source files, then restart the container to redeploy.
 
-3. **Full reset** — rebuild the container from scratch (VS Code: **Dev Containers: Rebuild Container**).
+3. **Reset aliases** — delete the `# Claude Code environment and aliases` block from `~/.bashrc` and `~/.zshrc`, then run `bash /workspaces/.devcontainer/scripts/setup-aliases.sh`.
 
-4. **Reset a single feature** — set it to `"version": "none"`, rebuild, then set it back to the desired version and rebuild again.
+4. **Full reset** — rebuild the container from scratch (VS Code: **Dev Containers: Rebuild Container**). This recreates everything but still preserves `.codeforge/` user modifications since they live in the repository.
+
+5. **Reset a single feature** — set it to `"version": "none"`, rebuild, then set it back to the desired version and rebuild again.
 
 ## Related
 

setup.js

@@ -532,14 +532,37 @@ function configApply() {
 			);
 		}
 
-		const srcPath = path.join(codeforgeDir, entry.src);
+		const codeforgeRoot = path.resolve(codeforgeDir);
+		const srcPath = path.resolve(codeforgeRoot, entry.src);
+		if (!srcPath.startsWith(codeforgeRoot + path.sep)) {
+			console.log("  Skip: " + entry.src + " (source path escapes .codeforge/)");
+			skipped++;
+			continue;
+		}
 		if (!fs.existsSync(srcPath)) {
 			console.log("  Skip: " + entry.src + " (not found)");
 			skipped++;
 			continue;
 		}
 
-		const destDir = expandVars(entry.dest);
+		const homeDir = path.resolve(process.env.HOME || "/home/vscode");
+		const allowedDestRoots = [
+			path.resolve(claudeConfigDir),
+			homeDir,
+			"/usr/local",
+		];
+		const destDir = path.resolve(expandVars(entry.dest));
+		const destAllowed = allowedDestRoots.some(
+			(root) => destDir === root || destDir.startsWith(root + path.sep),
+		);
+		if (!destAllowed) {
+			console.log(
+				"  Skip: " + entry.dest + " (destination outside allowed directories)",
+			);
+			skipped++;
+			continue;
+		}
+
 		const filename = entry.destFilename || path.basename(entry.src);
 		const destPath = path.join(destDir, filename);
 		fs.mkdirSync(destDir, { recursive: true });