fix(security): path traversal in create-askable-app scaffold allows writing outside cwd

[vamgan]

Summary

packages/create-askable-app/src/scaffold.js resolved the user-supplied project name argument directly to an absolute path without checking whether it stays within the current working directory:

const targetDir = path.resolve(process.cwd(), projectName);

A user running npm create @askable-ui/app ../../malicious would cause the scaffold to create directories and write template files outside the intended project root. In automated environments (CI/CD pipelines, containerised builds) where the project name comes from external input, this could overwrite arbitrary files within the process's write permission scope.

Impact

Low severity — exploitable only if the project name argument is supplied by untrusted input (e.g. environment variable in CI). Interactive developer use is not affected because the developer controls the argument.

Fix

Add a guard that throws if the resolved targetDir is not a descendant of process.cwd():

if (!targetDir.startsWith(process.cwd() + path.sep) && targetDir !== process.cwd()) {
  throw new Error(`Target directory must be inside the current working directory: ${targetDir}`);
}

Fixed in: claude/create-agents-md-fqfEf