fix(installer): guard artifact target paths

[NgoQuocViet2001]

What this PR does

• Validates artifact frontmatter name values before using them in installer destination paths.
• Keeps generated install targets under the requested target directory for all layouts.
• Reports a concise CLI error if an artifact name is unsafe.

Kind of change

• New lesson
• Fix to an existing lesson
• Translation
• New output (prompt, skill, agent, MCP server)
• Docs / website / tooling

Checklist

• Code runs without errors with the listed dependencies
• No comments in code files
• Built from scratch first, then shown with a framework
• Lesson folder matches LESSON_TEMPLATE.md structure
• ROADMAP.md row for the lesson is a markdown link ([Name](phases/...)), not bare text
• Tested locally / code output matches what docs/en.md claims

Phase / lesson

Installer tooling: scripts/install_skills.py.

Notes for reviewer

install_skills.py uses artifact metadata to derive output paths. This keeps valid slug-style artifact names working as before, while rejecting names with path separators, ..-style traversal, drive-like values, or hidden/empty names before files are copied.

Duplicate check: searched open and recent PRs/issues for install_skills, target paths, path traversal, and artifact-name sanitization; no overlapping fix found.

Validation

• Ran: python -m py_compile scripts/install_skills.py
• Ran: python scripts/install_skills.py _tmp-install-preview --type all --layout flat --dry-run
• Ran: targeted Python harness confirming safe names still map normally and unsafe names like ../escape, sub/name, .hidden, C:drive, and empty names are rejected
• Ran: python scripts/audit_lessons.py
• Ran: python scripts/check_readme_counts.py
• Ran: git diff --check

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c38e06c4-0880-404a-910e-9cf0938083f5

📥 Commits

Reviewing files that changed from the base of the PR and between 4415dc8 and 636054f.

📒 Files selected for processing (1)

• scripts/install_skills.py

---

📝 Walkthrough

Walkthrough

The PR adds input validation to the skill installation script to prevent unsafe artifact names and destination path traversal. A new regex pattern defines allowed artifact name characters, two guard functions validate names and paths, the path computation integrates these checks, and main catches validation errors to exit cleanly.

Changes

Path and name validation

Layer / File(s)	Summary
Validation rules and imports scripts/install_skills.py	Adds re module import and SAFE_ARTIFACT_NAME_RE regex constant defining the allowed character set and pattern for artifact names.
Validation helper functions scripts/install_skills.py	Implements safe_artifact_name() to reject unsafe names with ValueError and ensure_target_path() to prevent path traversal by resolving paths and verifying destinations remain within the target root.
Integration into path computation and error handling scripts/install_skills.py	Updates target_path() to derive destinations from validated artifact names and confirm via ensure_target_path(). Updates main() to catch ValueError from build_plan(), print error to stderr, and exit with code 1.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(installer): guard artifact target paths' directly summarizes the main security-focused change of validating and sanitizing artifact destination paths.
Description check	✅ Passed	The description clearly relates to the changeset by explaining what the PR does (validates artifact names, guards target paths, reports errors) and provides extensive validation details.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}