Context
From the same moox/kosit-validator install security review. Two lower-severity config-safety issues: kosit:install --force recursively deletes a fully config-controlled path, and the download URLs are env()-overridable with no host allowlist. Sequenced after the RCE-hardening ticket because both edit the install command.
What to build
kosit:install is safe against a misconfigured base path and against being retargeted at an unexpected download host.
Acceptance criteria
Blocked by
Context
From the same
moox/kosit-validatorinstall security review. Two lower-severity config-safety issues:kosit:install --forcerecursively deletes a fully config-controlled path, and the download URLs areenv()-overridable with no host allowlist. Sequenced after the RCE-hardening ticket because both edit the install command.What to build
kosit:installis safe against a misconfigured base path and against being retargeted at an unexpected download host.Acceptance criteria
--forcedeletion is scoped to the known validator/XRechnung subdirectories (or validates that the configured base path lives under the expected package storage root) — it never recursively deletes an arbitrary configured directory.Blocked by