chore: bump version to 4.5.0

Bug fixes:
- Fix inverted pager detection logic (returned error instead of path)
- Fix repo.Clone ignoring destination directory parameter
- Fix sheet loading using append on pre-sized slices
- Clean up partial files on copy failure
- Trim whitespace from editor config

Security:
- Add path traversal protection for cheatsheet names

Performance:
- Move regex compilation outside search loop
- Replace string concatenation with strings.Join in search

Build:
- Remove go:generate; embed config and usage as string literals
- Parallelize release builds
- Add fuzz testing infrastructure

Testing:
- Improve test coverage from 38.9% to 50.2%
- Add fuzz tests for search, filter, tags, and validation

Documentation:
- Fix inaccurate code examples in HACKING.md
- Add missing --conf and --all options to man page
- Add ADRs for path traversal, env parsing, and search parallelization
- Update CONTRIBUTING.md to reflect project policy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/embed.go

@@ -1,92 +0,0 @@
-//go:build ignore
-// +build ignore
-
-// This script embeds `docopt.txt and `conf.yml` into the binary during at
-// build time.
-
-package main
-
-import (
-	"fmt"
-	"io/ioutil"
-	"log"
-	"os"
-	"path/filepath"
-)
-
-func main() {
-
-	// get the cwd
-	cwd, err := os.Getwd()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	// get the project root
-	root, err := filepath.Abs(cwd + "../../../")
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	// specify template file information
-	type file struct {
-		In     string
-		Out    string
-		Method string
-	}
-
-	// enumerate the template files to process
-	files := []file{
-		file{
-			In:     "cmd/cheat/docopt.txt",
-			Out:    "cmd/cheat/str_usage.go",
-			Method: "usage"},
-		file{
-			In:     "configs/conf.yml",
-			Out:    "cmd/cheat/str_config.go",
-			Method: "configs"},
-	}
-
-	// iterate over each static file
-	for _, file := range files {
-
-		// delete the outfile
-		os.Remove(filepath.Join(root, file.Out))
-
-		// read the static template
-		bytes, err := ioutil.ReadFile(filepath.Join(root, file.In))
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		// render the template
-		data := template(file.Method, string(bytes))
-
-		// write the file to the specified outpath
-		spath := filepath.Join(root, file.Out)
-		err = ioutil.WriteFile(spath, []byte(data), 0644)
-		if err != nil {
-			log.Fatal(err)
-		}
-	}
-}
-
-// template packages the
-func template(method string, body string) string {
-
-	// specify the template string
-	t := `package main
-
-// Code generated .* DO NOT EDIT.
-
-import (
-	"strings"
-)
-
-func %s() string {
-	return strings.TrimSpace(%s)
-}
-`
-
-	return fmt.Sprintf(t, method, "`"+body+"`")
-}

build/fuzz.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# Run fuzz tests for cheat
+# Usage: ./scripts/fuzz.sh [duration]
+#
+# Note: Go's fuzzer will fail immediately if it finds a known failing input
+# in the corpus (testdata/fuzz/*). This is by design - it ensures you fix
+# known bugs before searching for new ones. To see failing inputs:
+#   ls internal/*/testdata/fuzz/*/
+#
+
+set -e
+
+DURATION="${1:-15s}"
+
+# Define fuzz tests: "TestName:Package:Description"
+TESTS=(
+    "FuzzParse:./internal/sheet:YAML frontmatter parsing"
+    "FuzzValidateSheetName:./internal/cheatpath:sheet name validation (path traversal protection)"
+    "FuzzSearchRegex:./internal/sheet:regex search operations"
+    "FuzzSearchCatastrophicBacktracking:./internal/sheet:catastrophic backtracking"
+    "FuzzTagged:./internal/sheet:tag matching with malicious input"
+    "FuzzFilter:./internal/sheets:tag filtering operations"
+    "FuzzTags:./internal/sheets:tag aggregation and sorting"
+)
+
+echo "Running fuzz tests ($DURATION each)..."
+echo
+
+for i in "${!TESTS[@]}"; do
+    IFS=':' read -r test_name package description <<< "${TESTS[$i]}"
+    echo "$((i+1)). Testing $description..."
+    go test -fuzz="^${test_name}$" -fuzztime="$DURATION" "$package"
+    echo
+done
+
+echo "All fuzz tests passed!"