fix: validate remote-supplied cwd against project directory

The remote workflow controls payload.cwd, but handleLocalOp never
checked that it falls within options.directory. A misbehaving workflow
could set cwd:"/" to escape the path sandbox entirely. Now cwd is
validated at the top of handleLocalOp before any operation runs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: betegon

src/lib/init/local-ops.ts

@@ -149,6 +149,19 @@ export async function handleLocalOp(
   options: WizardOptions
 ): Promise<LocalOpResult> {
   try {
+    // Validate that the remote-supplied cwd is within the user's project directory
+    const normalizedCwd = path.resolve(payload.cwd);
+    const normalizedDir = path.resolve(options.directory);
+    if (
+      normalizedCwd !== normalizedDir &&
+      !normalizedCwd.startsWith(normalizedDir + path.sep)
+    ) {
+      return {
+        ok: false,
+        error: `Blocked: cwd "${payload.cwd}" is outside project directory "${options.directory}"`,
+      };
+    }
+
     switch (payload.operation) {
       case "list-dir":
         return await listDir(payload);

test/lib/init/local-ops.test.ts

@@ -111,10 +111,11 @@ describe("validateCommand", () => {
 
 describe("handleLocalOp", () => {
   let testDir: string;
-  const options = makeOptions();
+  let options: WizardOptions;
 
   beforeEach(() => {
     testDir = mkdtempSync(join("/tmp", "local-ops-test-"));
+    options = makeOptions({ directory: testDir });
   });
 
   afterEach(() => {
@@ -182,6 +183,50 @@ describe("handleLocalOp", () => {
     });
   });
 
+  describe("cwd sandboxing", () => {
+    test("rejects cwd outside project directory", async () => {
+      const payload: ListDirPayload = {
+        type: "local-op",
+        operation: "list-dir",
+        cwd: "/",
+        params: { path: "." },
+      };
+
+      const result = await handleLocalOp(payload, options);
+      expect(result.ok).toBe(false);
+      expect(result.error).toContain("outside project directory");
+    });
+
+    test("allows cwd equal to project directory", async () => {
+      writeFileSync(join(testDir, "file.txt"), "x");
+
+      const payload: ListDirPayload = {
+        type: "local-op",
+        operation: "list-dir",
+        cwd: testDir,
+        params: { path: "." },
+      };
+
+      const result = await handleLocalOp(payload, options);
+      expect(result.ok).toBe(true);
+    });
+
+    test("allows cwd that is a subdirectory of project directory", async () => {
+      mkdirSync(join(testDir, "sub"));
+      writeFileSync(join(testDir, "sub", "file.txt"), "x");
+
+      const payload: ListDirPayload = {
+        type: "local-op",
+        operation: "list-dir",
+        cwd: join(testDir, "sub"),
+        params: { path: "." },
+      };
+
+      const result = await handleLocalOp(payload, options);
+      expect(result.ok).toBe(true);
+    });
+  });
+
   describe("list-dir", () => {
     test("lists files and directories with correct types", async () => {
       writeFileSync(join(testDir, "file1.txt"), "a");
@@ -489,7 +534,7 @@ describe("handleLocalOp", () => {
         params: { commands: ["rm -rf /", "echo hello"] },
       };
 
-      const dryRunOptions = makeOptions({ dryRun: true });
+      const dryRunOptions = makeOptions({ dryRun: true, directory: testDir });
       const result = await handleLocalOp(payload, dryRunOptions);
       expect(result.ok).toBe(true);
       const results = (
@@ -657,7 +702,7 @@ describe("handleLocalOp", () => {
         },
       };
 
-      const dryRunOptions = makeOptions({ dryRun: true });
+      const dryRunOptions = makeOptions({ dryRun: true, directory: testDir });
       const result = await handleLocalOp(payload, dryRunOptions);
       expect(result.ok).toBe(true);
 
@@ -681,7 +726,7 @@ describe("handleLocalOp", () => {
         },
       };
 
-      const dryRunOptions = makeOptions({ dryRun: true });
+      const dryRunOptions = makeOptions({ dryRun: true, directory: testDir });
       const result = await handleLocalOp(payload, dryRunOptions);
       expect(result.ok).toBe(false);
       expect(result.error).toContain("outside project directory");