Aureliolo · Aureliolo · Mar 14, 2026 · Mar 14, 2026
@@ -15,10 +15,20 @@ Run this after squash-merging a PR to clean up the local repo.
    ```
 
 3. Delete local branches whose remote tracking branch is gone:
+
+   First check which branches are gone:
+
    ```bash
-   git branch -vv | grep '\[.*: gone\]' | awk '{print $1}' | xargs -r git branch -D
+   git branch -vv | grep '\[.*: gone\]'
    ```
-   If no gone branches exist, skip this step.
+
+   If no gone branches exist, skip this step. Otherwise, delete each one individually:
+
+   ```bash
+   git branch -D <branch-name>
+   ```
+
+   Do NOT use a piped `xargs` command — it triggers unnecessary permission prompts. Use separate `git branch -D` calls for each gone branch (can be combined in one call: `git branch -D branch1 branch2`).
 
 4. Check for any remaining non-main local branches and report them. Do NOT delete branches that still have a remote — only report them.
 

@@ -39,8 +39,12 @@
 	text := report.FormatText()
 
 	// Save to file.
+	safeDir, err := safeStateDir(state)
+	if err != nil {
+		return err
+	}
 	filename := fmt.Sprintf("synthorg-diagnostic-%s.txt", time.Now().Format("20060102-150405"))
-	savePath := filepath.Join(state.DataDir, filename)
+	savePath := filepath.Join(safeDir, filename)
 	if err := os.WriteFile(savePath, []byte(text), 0o600); err != nil {
 		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Warning: could not save diagnostic file: %v\n", err)
 	} else {

@@ -181,7 +181,12 @@
 }
 
 func writeInitFiles(state config.State) error {
-	if err := config.EnsureDir(state.DataDir); err != nil {
+	safeDir, err := config.SecurePath(state.DataDir)
+	if err != nil {
+		return err
+	}
+	state.DataDir = safeDir // normalize before persisting
+	if err := os.MkdirAll(safeDir, 0o700); err != nil {
 		return fmt.Errorf("creating data directory: %w", err)
 	}
 
@@ -191,7 +196,7 @@
 		return fmt.Errorf("generating compose file: %w", err)
 	}
 
-	composePath := filepath.Join(state.DataDir, "compose.yml")
+	composePath := filepath.Join(safeDir, "compose.yml")
 	if err := os.WriteFile(composePath, composeYAML, 0o600); err != nil {
 		return fmt.Errorf("writing compose file: %w", err)
 	}
@@ -228,7 +233,11 @@
 }
 
 func fileExists(path string) bool {
-	_, err := os.Stat(path)
+	safe, err := config.SecurePath(path)
+	if err != nil {
+		return false
+	}
+	_, err = os.Stat(safe)
 	return err == nil
 }
 

@@ -45,9 +45,13 @@
 		return fmt.Errorf("loading config: %w", err)
 	}
 
-	composePath := filepath.Join(state.DataDir, "compose.yml")
+	safeDir, err := safeStateDir(state)
+	if err != nil {
+		return err
+	}
+	composePath := filepath.Join(safeDir, "compose.yml")
 	if _, err := os.Stat(composePath); errors.Is(err, os.ErrNotExist) {
-		return fmt.Errorf("compose.yml not found in %s — run 'synthorg init' first", state.DataDir)
+		return fmt.Errorf("compose.yml not found in %s — run 'synthorg init' first", safeDir)
 	}
 
 	info, err := docker.Detect(ctx)
@@ -78,5 +82,5 @@
 	composeArgs = append(composeArgs, "--")
 	composeArgs = append(composeArgs, args...)
 
-	return composeRun(ctx, cmd, info, state.DataDir, composeArgs...)
+	return composeRun(ctx, cmd, info, safeDir, composeArgs...)
 }
@@ -41,6 +41,12 @@ func resolveDataDir() string {
 	return dir
 }
 
+// safeStateDir returns a validated absolute path from the loaded state's DataDir.
+// This satisfies CodeQL's go/path-injection by applying SecurePath at the call site.
+func safeStateDir(state config.State) (string, error) {
+	return config.SecurePath(state.DataDir)
+}
+
 // isInteractive returns true if stdin is a terminal (not piped or in CI).
 func isInteractive() bool {
 	fi, err := os.Stdin.Stat()

@@ -34,9 +34,13 @@
 		return fmt.Errorf("loading config: %w", err)
 	}
 
-	composePath := filepath.Join(state.DataDir, "compose.yml")
+	safeDir, err := safeStateDir(state)
+	if err != nil {
+		return err
+	}
+	composePath := filepath.Join(safeDir, "compose.yml")
 	if _, err := os.Stat(composePath); errors.Is(err, os.ErrNotExist) {
-		return fmt.Errorf("compose.yml not found in %s — run 'synthorg init' first", state.DataDir)
+		return fmt.Errorf("compose.yml not found in %s — run 'synthorg init' first", safeDir)
 	}
 
 	info, err := docker.Detect(ctx)
@@ -52,13 +56,13 @@
 
 	// Pull latest images.
 	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Pulling images...")
-	if err := composeRun(ctx, cmd, info, state.DataDir, "pull"); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, "pull"); err != nil {
 		return fmt.Errorf("pulling images: %w", err)
 	}
 
 	// Start containers.
 	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Starting containers...")
-	if err := composeRun(ctx, cmd, info, state.DataDir, "up", "-d"); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, "up", "-d"); err != nil {
 		return fmt.Errorf("starting containers: %w", err)
 	}
 

@@ -40,7 +40,11 @@
 
 	printVersionInfo(out, state)
 
-	composePath := filepath.Join(state.DataDir, "compose.yml")
+	safeDir, err := safeStateDir(state)
+	if err != nil {
+		return err
+	}
+	composePath := filepath.Join(safeDir, "compose.yml")
 	if _, err := os.Stat(composePath); errors.Is(err, os.ErrNotExist) {
 		_, _ = fmt.Fprintln(out, "Not initialized — run 'synthorg init' first.")
 		return nil
@@ -54,8 +58,8 @@
 	_, _ = fmt.Fprintf(out, "Docker:  %s\n", info.DockerVersion)
 	_, _ = fmt.Fprintf(out, "Compose: %s\n\n", info.ComposeVersion)
 
-	printContainerStates(ctx, out, info, state)
-	printResourceUsage(ctx, out, info, state)
+	printContainerStates(ctx, out, info, safeDir)
+	printResourceUsage(ctx, out, info, safeDir)
 	printHealthStatus(ctx, out, state)
 
 	return nil
@@ -67,8 +71,8 @@
 	_, _ = fmt.Fprintf(out, "Image tag:   %s\n\n", state.ImageTag)
 }
 
-func printContainerStates(ctx context.Context, out io.Writer, info docker.Info, state config.State) {
-	psOut, err := docker.ComposeExecOutput(ctx, info, state.DataDir, "ps", "--format", "json")
+func printContainerStates(ctx context.Context, out io.Writer, info docker.Info, dataDir string) {
+	psOut, err := docker.ComposeExecOutput(ctx, info, dataDir, "ps", "--format", "json")
 	if err != nil {
 		_, _ = fmt.Fprintf(out, "Could not get container states: %v\n", err)
 		return
@@ -77,9 +81,9 @@
 	_, _ = fmt.Fprintln(out, psOut)
 }
 
-func printResourceUsage(ctx context.Context, out io.Writer, info docker.Info, state config.State) {
+func printResourceUsage(ctx context.Context, out io.Writer, info docker.Info, dataDir string) {
 	// Get container IDs for this compose project only.
-	psOut, err := docker.ComposeExecOutput(ctx, info, state.DataDir, "ps", "-q")
+	psOut, err := docker.ComposeExecOutput(ctx, info, dataDir, "ps", "-q")
 	if err != nil || strings.TrimSpace(psOut) == "" {
 		return
 	}

@@ -30,9 +30,13 @@
 		return fmt.Errorf("loading config: %w", err)
 	}
 
-	composePath := filepath.Join(state.DataDir, "compose.yml")
+	safeDir, err := safeStateDir(state)
+	if err != nil {
+		return err
+	}
+	composePath := filepath.Join(safeDir, "compose.yml")
 	if _, err := os.Stat(composePath); errors.Is(err, os.ErrNotExist) {
-		return fmt.Errorf("compose.yml not found in %s — run 'synthorg init' first", state.DataDir)
+		return fmt.Errorf("compose.yml not found in %s — run 'synthorg init' first", safeDir)
 	}
 
 	info, err := docker.Detect(ctx)
@@ -41,7 +45,7 @@
 	}
 
 	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Stopping containers...")
-	if err := composeRun(ctx, cmd, info, state.DataDir, "down"); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, "down"); err != nil {
 		return fmt.Errorf("stopping containers: %w", err)
 	}
 

@@ -61,6 +61,10 @@
 
 func stopAndRemoveVolumes(cmd *cobra.Command, info docker.Info, state config.State) error {
 	ctx := cmd.Context()
+	safeDir, err := config.SecurePath(state.DataDir)
+	if err != nil {
+		return err
+	}
 
 	var removeVolumes bool
 	form := huh.NewForm(
@@ -85,7 +89,7 @@
 		_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Removing volumes...")
 	}
 
-	if err := composeRun(ctx, cmd, info, state.DataDir, downArgs...); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, downArgs...); err != nil {
 		return fmt.Errorf("stopping containers: %w", err)
 	}
 
@@ -106,7 +110,10 @@
 	}
 
 	if removeData {
-		dir := state.DataDir
+		dir, err := config.SecurePath(state.DataDir)
+		if err != nil {
+			return err
+		}
 		// Safety: refuse to remove root, home, or empty paths.
 		home, _ := os.UserHomeDir()
 		if dir == "" || dir == "/" || dir == home || (len(dir) == 3 && dir[1] == ':' && dir[2] == '\\') {

@@ -93,19 +93,24 @@ func updateContainerImages(cmd *cobra.Command) error {
 		return fmt.Errorf("loading config: %w", err)
 	}
 
+	safeDir, err := safeStateDir(state)
+	if err != nil {
+		return err
+	}
+
 	info, err := docker.Detect(ctx)
 	if err != nil {
 		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Warning: Docker not available, skipping image update: %v\n", err)
 		return nil
 	}
 
 	_, _ = fmt.Fprintln(out, "Pulling latest container images...")
-	if err := composeRun(ctx, cmd, info, state.DataDir, "pull"); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, "pull"); err != nil {
 		return fmt.Errorf("pulling images: %w", err)
 	}
 
 	// Check if containers are running and offer restart.
-	psOut, err := docker.ComposeExecOutput(ctx, info, state.DataDir, "ps", "-q")
+	psOut, err := docker.ComposeExecOutput(ctx, info, safeDir, "ps", "-q")
 	if err != nil {
 		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Warning: could not check container status: %v\n", err)
 		return nil
@@ -129,10 +134,10 @@ func updateContainerImages(cmd *cobra.Command) error {
 	}
 
 	_, _ = fmt.Fprintln(out, "Restarting...")
-	if err := composeRun(ctx, cmd, info, state.DataDir, "down"); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, "down"); err != nil {
 		return fmt.Errorf("stopping containers: %w", err)
 	}
-	if err := composeRun(ctx, cmd, info, state.DataDir, "up", "-d"); err != nil {
+	if err := composeRun(ctx, cmd, info, safeDir, "up", "-d"); err != nil {
 		return fmt.Errorf("restarting containers: %w", err)
 	}
 

@@ -3,6 +3,7 @@
 package config
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -17,7 +18,12 @@ const appDirName = "synthorg"
 func DataDir() string {
 	home, err := os.UserHomeDir()
 	if err != nil {
-		home = "." // fallback to current directory
+		// Fallback to absolute CWD so SecurePath's absolute-path check passes.
+		if cwd, cwdErr := os.Getwd(); cwdErr == nil {
+			home = cwd
+		} else {
+			home = "/" // last resort — will be valid on Unix, best-effort on Windows
+		}
 	}
 	return dataDirForOS(runtime.GOOS, home, os.Getenv("LOCALAPPDATA"), os.Getenv("XDG_DATA_HOME"))
 }
@@ -40,7 +46,27 @@ func dataDirForOS(goos, home, localAppData, xdgDataHome string) string {
 	}
 }
 
+// SecurePath validates that a path is absolute and returns a cleaned version.
+// This satisfies static analysis (CodeQL go/path-injection) by ensuring
+// environment-variable-derived paths are sanitized before filesystem use.
+//
+// Security note: this validates path format only. The CLI trusts user-provided
+// paths (--data-dir, config file) by design — the user controls their own
+// installation directory. No filesystem containment is enforced.
+func SecurePath(path string) (string, error) {
+	clean := filepath.Clean(path)
+	if !filepath.IsAbs(clean) {
+		return "", fmt.Errorf("path must be absolute, got %q", path)
+	}
+	return clean, nil
+}
+
 // EnsureDir creates the directory (and parents) if it does not exist.
+// The path must be absolute.
 func EnsureDir(path string) error {
-	return os.MkdirAll(path, 0o700)
+	safe, err := SecurePath(path)
+	if err != nil {
+		return err
+	}
+	return os.MkdirAll(safe, 0o700)
 }