chore: bump version to 4.5.0

Bug fixes:
- Fix inverted pager detection logic (returned error instead of path)
- Fix repo.Clone ignoring destination directory parameter
- Fix sheet loading using append on pre-sized slices
- Clean up partial files on copy failure
- Trim whitespace from editor config

Security:
- Add path traversal protection for cheatsheet names

Performance:
- Move regex compilation outside search loop
- Replace string concatenation with strings.Join in search

Build:
- Remove go:generate; embed config and usage as string literals
- Parallelize release builds
- Add fuzz testing infrastructure

Testing:
- Improve test coverage from 38.9% to 50.2%
- Add fuzz tests for search, filter, tags, and validation

Documentation:
- Fix inaccurate code examples in HACKING.md
- Add missing --conf and --all options to man page
- Add ADRs for path traversal, env parsing, and search parallelization
- Update CONTRIBUTING.md to reflect project policy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/cheat/path_traversal_integration_test.go

@@ -0,0 +1,216 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// TestPathTraversalIntegration tests that the cheat binary properly blocks
+// path traversal attempts when invoked as a subprocess.
+func TestPathTraversalIntegration(t *testing.T) {
+	// Build the cheat binary
+	binPath := filepath.Join(t.TempDir(), "cheat_test")
+	if output, err := exec.Command("go", "build", "-o", binPath, ".").CombinedOutput(); err != nil {
+		t.Fatalf("Failed to build cheat: %v\nOutput: %s", err, output)
+	}
+
+	// Set up test environment
+	testDir := t.TempDir()
+	sheetsDir := filepath.Join(testDir, "sheets")
+	os.MkdirAll(sheetsDir, 0755)
+
+	// Create config
+	config := fmt.Sprintf(`---
+editor: echo
+colorize: false
+pager: cat
+cheatpaths:
+  - name: test
+    path: %s
+    readonly: false
+`, sheetsDir)
+
+	configPath := filepath.Join(testDir, "config.yml")
+	if err := os.WriteFile(configPath, []byte(config), 0644); err != nil {
+		t.Fatalf("Failed to write config: %v", err)
+	}
+
+	// Test table
+	tests := []struct {
+		name     string
+		command  []string
+		wantFail bool
+		wantMsg  string
+	}{
+		// Blocked patterns
+		{
+			name:     "block parent traversal edit",
+			command:  []string{"--edit", "../evil"},
+			wantFail: true,
+			wantMsg:  "cannot contain '..'",
+		},
+		{
+			name:     "block absolute path edit",
+			command:  []string{"--edit", "/etc/passwd"},
+			wantFail: true,
+			wantMsg:  "cannot be an absolute path",
+		},
+		{
+			name:     "block home dir edit",
+			command:  []string{"--edit", "~/.ssh/config"},
+			wantFail: true,
+			wantMsg:  "cannot start with '~'",
+		},
+		{
+			name:     "block parent traversal remove",
+			command:  []string{"--rm", "../evil"},
+			wantFail: true,
+			wantMsg:  "cannot contain '..'",
+		},
+		{
+			name:     "block complex traversal",
+			command:  []string{"--edit", "foo/../../bar"},
+			wantFail: true,
+			wantMsg:  "cannot contain '..'",
+		},
+		{
+			name:     "block just dots",
+			command:  []string{"--edit", ".."},
+			wantFail: true,
+			wantMsg:  "cannot contain '..'",
+		},
+		{
+			name:     "block empty name",
+			command:  []string{"--edit", ""},
+			wantFail: true,
+			wantMsg:  "cannot be empty",
+		},
+		// Allowed patterns
+		{
+			name:     "allow simple name",
+			command:  []string{"--edit", "docker"},
+			wantFail: false,
+		},
+		{
+			name:     "allow nested name",
+			command:  []string{"--edit", "lang/go"},
+			wantFail: false,
+		},
+		{
+			name:     "block hidden file",
+			command:  []string{"--edit", ".gitignore"},
+			wantFail: true,
+			wantMsg:  "cannot start with '.'",
+		},
+		{
+			name:     "allow current dir",
+			command:  []string{"--edit", "./local"},
+			wantFail: false,
+		},
+	}
+
+	// Run tests
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := exec.Command(binPath, tc.command...)
+			cmd.Env = []string{
+				fmt.Sprintf("CHEAT_CONFIG_PATH=%s", configPath),
+				fmt.Sprintf("HOME=%s", testDir),
+			}
+			output, err := cmd.CombinedOutput()
+
+			if tc.wantFail {
+				if err == nil {
+					t.Errorf("Expected failure but command succeeded. Output: %s", output)
+				}
+				if !strings.Contains(string(output), "invalid cheatsheet name") {
+					t.Errorf("Expected 'invalid cheatsheet name' error, got: %s", output)
+				}
+				if tc.wantMsg != "" && !strings.Contains(string(output), tc.wantMsg) {
+					t.Errorf("Expected message %q in output, got: %s", tc.wantMsg, output)
+				}
+			} else {
+				// Command might fail for other reasons (e.g., editor not found)
+				// but should NOT fail with "invalid cheatsheet name"
+				if strings.Contains(string(output), "invalid cheatsheet name") {
+					t.Errorf("Command incorrectly blocked. Output: %s", output)
+				}
+			}
+		})
+	}
+}
+
+// TestPathTraversalRealWorld tests with more realistic scenarios
+func TestPathTraversalRealWorld(t *testing.T) {
+	// This test ensures our protection works with actual file operations
+
+	// Build cheat
+	binPath := filepath.Join(t.TempDir(), "cheat_test")
+	if output, err := exec.Command("go", "build", "-o", binPath, ".").CombinedOutput(); err != nil {
+		t.Fatalf("Failed to build: %v\n%s", err, output)
+	}
+
+	// Create test structure
+	testRoot := t.TempDir()
+	sheetsDir := filepath.Join(testRoot, "cheatsheets")
+	secretDir := filepath.Join(testRoot, "secrets")
+	os.MkdirAll(sheetsDir, 0755)
+	os.MkdirAll(secretDir, 0755)
+
+	// Create a "secret" file that should not be accessible
+	secretFile := filepath.Join(secretDir, "secret.txt")
+	os.WriteFile(secretFile, []byte("SECRET DATA"), 0644)
+
+	// Create config using vim in non-interactive mode
+	config := fmt.Sprintf(`---
+editor: vim -u NONE -n --cmd "set noswapfile" --cmd "wq"
+colorize: false
+pager: cat
+cheatpaths:
+  - name: personal
+    path: %s
+    readonly: false
+`, sheetsDir)
+
+	configPath := filepath.Join(testRoot, "config.yml")
+	os.WriteFile(configPath, []byte(config), 0644)
+
+	// Test 1: Try to edit a file outside cheatsheets using traversal
+	cmd := exec.Command(binPath, "--edit", "../secrets/secret")
+	cmd.Env = []string{
+		fmt.Sprintf("CHEAT_CONFIG_PATH=%s", configPath),
+		fmt.Sprintf("HOME=%s", testRoot),
+	}
+	output, err := cmd.CombinedOutput()
+
+	if err == nil || !strings.Contains(string(output), "invalid cheatsheet name") {
+		t.Errorf("Path traversal was not blocked! Output: %s", output)
+	}
+
+	// Test 2: Verify the secret file is still intact
+	content, _ := os.ReadFile(secretFile)
+	if string(content) != "SECRET DATA" {
+		t.Errorf("Secret file was modified!")
+	}
+
+	// Test 3: Verify no files were created outside sheets directory
+	err = filepath.Walk(testRoot, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() &&
+			path != configPath &&
+			path != secretFile &&
+			!strings.HasPrefix(path, sheetsDir) {
+			t.Errorf("File created outside allowed directory: %s", path)
+		}
+		return nil
+	})
+	if err != nil {
+		t.Errorf("Walk error: %v", err)
+	}
+}