fix: resolve 3 CRITICAL panics + 3 HIGH security vulnerabilities

CRITICAL fixes:
- Guard all `d.ID[:8]` with length checks to prevent panic on short IDs
  (cmd/deployments/helpers.go, cmd/open/open.go)
- Guard `(*d.EnvironmentID)[:8]` with length check (cmd/domains/domains_list.go)
- Fix PaginatedResponse.Pagination nesting — was always zero-valued because
  Pagination was a sibling of Data instead of nested inside it. Skills catalog
  TUI pagination (total count, hasNextPage) was silently broken.

Security fixes:
- Validate --api-url is HTTPS to prevent credential theft via attacker-controlled
  server (localhost/127.0.0.1 allowed for development)
- Reject absolute paths and '..' traversal in env pull/push --file flag to prevent
  writing to or reading from arbitrary filesystem locations
- Sanitize template name with filepath.Base() when used as directory name to prevent
  path traversal via malicious template names

Closes #14

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

cmd/deployments/helpers.go

@@ -55,7 +55,11 @@ func pickDeployment(client *api.APIClient, projectID string) (string, error) {
 
 	options := make([]string, len(deployments))
 	for i, d := range deployments {
-		label := fmt.Sprintf("%s  %s  %s", d.CreatedAt.Format("Jan 02 15:04"), d.Status, d.ID[:8])
+		id := d.ID
+		if len(id) > 8 {
+			id = id[:8]
+		}
+		label := fmt.Sprintf("%s  %s  %s", d.CreatedAt.Format("Jan 02 15:04"), d.Status, id)
 		if d.Source != nil && d.Source.Commit != "" {
 			commit := d.Source.Commit
 			if len(commit) > 7 {
@@ -65,7 +69,7 @@ func pickDeployment(client *api.APIClient, projectID string) (string, error) {
 			if len(msg) > 50 {
 				msg = msg[:50] + "…"
 			}
-			label = fmt.Sprintf("%s  %s  %s  %s %s", d.CreatedAt.Format("Jan 02 15:04"), d.Status, d.ID[:8], commit, msg)
+			label = fmt.Sprintf("%s  %s  %s  %s %s", d.CreatedAt.Format("Jan 02 15:04"), d.Status, id, commit, msg)
 		}
 		options[i] = label
 	}

cmd/domains/domains_list.go

@@ -58,7 +58,10 @@ func newDomainsListCommand() *cli.Command {
 					if name, ok := envName[*d.EnvironmentID]; ok {
 						env = name
 					} else {
-						env = (*d.EnvironmentID)[:8]
+						env = *d.EnvironmentID
+					if len(env) > 8 {
+						env = env[:8]
+					}
 					}
 				}
 				tableData = append(tableData, []string{d.ID, d.Name, env, icon + " " + d.Status, msg})

cmd/env/pull.go

@@ -3,6 +3,7 @@ package env
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"sort"
 	"strings"
 
@@ -38,6 +39,10 @@ func newEnvPullCommand() *cli.Command {
 				filePath = ".env." + env.UniqueName
 			}
 
+			if filepath.IsAbs(filePath) || strings.Contains(filePath, "..") {
+				return fmt.Errorf("--file must be a relative path without '..' (got %q)", filePath)
+			}
+
 			// Check if file exists
 			if !c.Bool("force") {
 				if _, err := os.Stat(filePath); err == nil {

cmd/env/push.go

@@ -3,6 +3,7 @@ package env
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/pterm/pterm"
@@ -37,6 +38,10 @@ func newEnvPushCommand() *cli.Command {
 				filePath = ".env." + env.UniqueName
 			}
 
+			if filepath.IsAbs(filePath) || strings.Contains(filePath, "..") {
+				return fmt.Errorf("--file must be a relative path without '..' (got %q)", filePath)
+			}
+
 			data, err := os.ReadFile(filePath) //nolint:gosec
 			if err != nil {
 				return fmt.Errorf("could not read %s: %w", filePath, err)

cmd/open/open.go

@@ -91,7 +91,11 @@ func NewOpenCommand() *cli.Command {
 				} else {
 					options := make([]string, len(deploymentsWithURL))
 					for i, d := range deploymentsWithURL {
-						options[i] = fmt.Sprintf("%s  %s  %s", d.CreatedAt.Format("Jan 02 15:04"), d.Status, d.ID[:8])
+						id := d.ID
+						if len(id) > 8 {
+							id = id[:8]
+						}
+						options[i] = fmt.Sprintf("%s  %s  %s", d.CreatedAt.Format("Jan 02 15:04"), d.Status, id)
 					}
 					selected, err := pterm.DefaultInteractiveSelect.
 						WithOptions(options).

cmd/root/root.go

@@ -3,6 +3,7 @@ package root
 
 import (
 	"fmt"
+	"net/url"
 	"time"
 
 	"github.com/urfave/cli/v2"
@@ -65,6 +66,14 @@ func NewApp() *cli.App {
 			// Store the output format in metadata
 			c.App.Metadata[output.FormatKey] = output.DetectFormat(c)
 
+			apiURL := c.String("api-url")
+			if apiURL != "" && apiURL != api.DefaultBaseURL {
+				parsed, err := url.Parse(apiURL)
+				if err != nil || (parsed.Scheme != "https" && parsed.Hostname() != "localhost" && parsed.Hostname() != "127.0.0.1") {
+					return fmt.Errorf("--api-url must use HTTPS (got %q)\n\n  Exception: localhost and 127.0.0.1 are allowed for development", apiURL)
+				}
+			}
+
 			cmd := c.Args().First()
 			if cmd == "" || cmd == "login" || cmd == "logout" || cmd == "version" || cmd == "completion" || cmd == "ask" {
 				return nil

cmd/templates/use.go

@@ -93,7 +93,10 @@ func newTemplatesUseCommand() *cli.Command {
 
 			dir := c.String("dir")
 			if dir == "" {
-				dir = tmpl.Name
+				dir = filepath.Base(tmpl.Name)
+				if dir == "." || dir == ".." {
+					return fmt.Errorf("template name %q is not safe as a directory name — use --dir to specify output directory", tmpl.Name)
+				}
 			}
 
 			absDir, err := filepath.Abs(dir)

internal/api/methods.go

@@ -145,9 +145,9 @@ func (c *APIClient) GetSkillDownloadURL(purchasedID string) (string, error) {
 // PaginatedResponse wraps a paginated list API response envelope.
 type PaginatedResponse[T any] struct {
 	Data struct {
-		Items []T `json:"data"`
+		Items      []T        `json:"data"`
+		Pagination Pagination `json:"pagination"`
 	} `json:"data"`
-	Pagination Pagination `json:"pagination"`
 }
 
 // Pagination holds metadata about a paginated response.
@@ -178,7 +178,7 @@ func (c *APIClient) ListAvailableSkillsForPurchase(searchText string, offset int
 	if resp.IsError() {
 		return nil, Pagination{}, ParseAPIError(resp.StatusCode(), resp.Body())
 	}
-	return result.Data.Items, result.Pagination, nil
+	return result.Data.Items, result.Data.Pagination, nil
 }
 
 // DeploymentExtra holds extra deployment metadata.