feat: harden installer and improve install reliability (#93)

* feat: add release workflow and enhance install script with checksum verification and local install options

* fix: update release workflow to commit checksums to main and adjust trigger conditions

* fix: update checksum generation to use find for better file selection

* Update checksums.txt

* feat: add per-project configuration support and update installation script

* Update checksums.txt

* fix: use CLAUDE_PEON_DIR for packs directory in tests

* Update checksums.txt

* feat: add support for CLAUDE_PEON_DIR override in config and state directory resolution

* Update checksums.txt

* feat: auto-detect repo URL and default to kenyiu/peon-ping fork

- Add detect_repo_info() and detect_clone_url() functions to install.sh
- Auto-detect current repo from git remote when running from local clone
- Support PEON_REPO_URL and PEON_CLONE_URL environment variables
- Default to kenyiu/peon-ping instead of tonyyont/peon-ping
- Update peon.sh version check URL to use kenyiu fork
- Update update message to reference correct install URL

* Update checksums.txt

* docs: update README to point to kenyiu fork

* feat: add local_only config option for local installation only

- Add local_only field to config.json (default: false)
- Update peon.sh to check global config for local_only setting
- When local_only is true and no local config exists, exit silently
- Document the option in README.md

This allows teams to enforce per-project configuration by setting
local_only: true in the global config. The hook will only run when
a local ./.claude/hooks/peon-ping/config.json exists.

* Update checksums.txt

* feat: support explicit global/local install modes

Make installer behavior deterministic by separating global and local modes, adding init-local-config, and prompting to resolve conflicting existing installs.

* Update checksums.txt

* docs: update contributor link for Orc Peon character in README

* Update checksums.txt

* feat: enhance security checks for pack installation and checksum generation

* Update checksums.txt

* docs: streamline README install and config sections

---------

Co-authored-by: ken <3939605+kenyiu@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: kenyiu

.github/workflows/release.yml

@@ -0,0 +1,87 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  workflow_dispatch:
+
+jobs:
+  checksums-main:
+    if: github.ref == 'refs/heads/main'
+    runs-on: macos-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate checksums
+        run: |
+          files=(
+            install.sh
+            uninstall.sh
+            peon.sh
+            relay.sh
+            completions.bash
+            completions.fish
+            VERSION
+            config.json
+            adapters/codex.sh
+            adapters/cursor.sh
+            adapters/opencode.sh
+            adapters/opencode/peon-ping.ts
+            skills/peon-ping-toggle/SKILL.md
+            skills/peon-ping-config/SKILL.md
+            docs/peon-icon.png
+          )
+          shasum -a 256 "${files[@]}" > checksums.txt
+
+      - name: Commit checksums to main
+        run: |
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git add checksums.txt
+          git commit -m "Update checksums.txt" || echo "No changes to commit"
+          git push
+
+  checksums-release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: macos-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate checksums
+        run: |
+          files=(
+            install.sh
+            uninstall.sh
+            peon.sh
+            relay.sh
+            completions.bash
+            completions.fish
+            VERSION
+            config.json
+            adapters/codex.sh
+            adapters/cursor.sh
+            adapters/opencode.sh
+            adapters/opencode/peon-ping.ts
+            skills/peon-ping-toggle/SKILL.md
+            skills/peon-ping-config/SKILL.md
+            docs/peon-icon.png
+          )
+          shasum -a 256 "${files[@]}" > checksums.txt
+
+      - name: Upload checksums to release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          generate_release_notes: true
+          files: checksums.txt
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -16,4 +16,4 @@ jobs:
         run: brew install bats-core
 
       - name: Run tests
-        run: bats tests/
+        run: cd tests && bats .

README.md

@@ -12,34 +12,50 @@ AI coding agents don't notify you when they finish or need permission. You tab a
 
 ## Install
 
+### Option 1: Homebrew (recommended)
+
 ```bash
 brew install PeonPing/tap/peon-ping
 ```
 
 Then run `peon-ping-setup` to register hooks and download sound packs. macOS and Linux.
 
-**Or install via curl** (macOS, Linux, WSL2):
+### Option 2: Installer script (macOS, Linux, WSL2)
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/PeonPing/peon-ping/main/install.sh | bash
 ```
 
-One command. Takes 10 seconds. Re-run to update (sounds and config preserved). Installs 10 curated English packs by default.
+Installs 10 curated English packs by default. Re-run to update while preserving config/state.
+
+Useful installer flags:
+
+- `--all` — install all available packs
+- `--packs=peon,glados,...` — install specific packs only
+- `--local` — install into `./.claude/` for current project
+- `--global` — explicit global install (same as default)
+- `--init-local-config` — create `./.claude/hooks/peon-ping/config.json` only
 
-**Install all packs** (every language and franchise):
+`--local` does not modify your shell rc files (no global `peon` alias/completion injection).
+
+Examples:
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/PeonPing/peon-ping/main/install.sh | bash -s -- --all
+curl -fsSL https://raw.githubusercontent.com/PeonPing/peon-ping/main/install.sh | bash -s -- --packs=peon,glados
+curl -fsSL https://raw.githubusercontent.com/PeonPing/peon-ping/main/install.sh | bash -s -- --local
 ```
 
-**Project-local install** — installs into `.claude/` in the current project instead of `~/.claude/`:
+If a global install exists and you install local (or vice versa), the installer prompts you to remove the existing one to avoid conflicts.
+
+### Option 3: Clone and inspect first
 
 ```bash
-curl -fsSL https://raw.githubusercontent.com/PeonPing/peon-ping/main/install.sh | bash -s -- --local
+git clone https://github.com/PeonPing/peon-ping.git
+cd peon-ping
+./install.sh
 ```
 
-Local installs don't add the `peon` CLI alias or shell completions — use `/peon-ping-toggle` inside Claude Code instead.
-
 ## What you'll hear
 
 | Event | CESP Category | Examples |
@@ -84,7 +100,10 @@ Pausing mutes sounds and desktop notifications instantly. Persists across sessio
 
 peon-ping installs a `/peon-ping-toggle` slash command in Claude Code. You can also just ask Claude to change settings for you — e.g. "enable round-robin pack rotation", "set volume to 0.3", or "add glados to my pack rotation". No need to edit config files manually.
 
-The config lives at `$CLAUDE_CONFIG_DIR/hooks/peon-ping/config.json` (default: `~/.claude/hooks/peon-ping/config.json`):
+Config location depends on install mode:
+
+- Global install: `$CLAUDE_CONFIG_DIR/hooks/peon-ping/config.json` (default `~/.claude/hooks/peon-ping/config.json`)
+- Local install: `./.claude/hooks/peon-ping/config.json`
 
 ```json
 {

adapters/opencode.sh

@@ -25,6 +25,18 @@ OPENCODE_PLUGINS_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/opencode/plugins"
 PEON_CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/opencode/peon-ping"
 PACKS_DIR="$HOME/.openpeon/packs"
 
+is_safe_source_repo() {
+  [[ "$1" =~ ^[A-Za-z0-9._-]+/[A-Za-z0-9._-]+$ ]]
+}
+
+is_safe_source_ref() {
+  [[ "$1" =~ ^[A-Za-z0-9._/-]+$ ]] && [[ "$1" != *".."* ]] && [[ "$1" != /* ]]
+}
+
+is_safe_source_path() {
+  [[ "$1" =~ ^[A-Za-z0-9._/-]+$ ]] && [[ "$1" != *".."* ]] && [[ "$1" != /* ]]
+}
+
 # --- Colors ---
 BOLD=$'\033[1m' DIM=$'\033[2m' RED=$'\033[31m' GREEN=$'\033[32m' YELLOW=$'\033[33m' RESET=$'\033[0m'
 
@@ -118,34 +130,38 @@ mkdir -p "$PACKS_DIR"
 if [ ! -d "$PACKS_DIR/$DEFAULT_PACK" ]; then
   info "Installing default sound pack '$DEFAULT_PACK' from registry..."
 
-  PACK_INFO=$(curl -fsSL "$REGISTRY_URL" 2>/dev/null \
-    | python3 -c "
+  REGISTRY_JSON=$(curl -fsSL "$REGISTRY_URL" 2>/dev/null || true)
+  PACK_INFO=$(PACK_NAME="$DEFAULT_PACK" python3 -c "
 import sys, json
 reg = json.load(sys.stdin)
 for p in reg.get('packs', []):
-    if p.get('name') == '$DEFAULT_PACK':
+    if p.get('name') == __import__('os').environ.get('PACK_NAME'):
         print(p.get('source_repo', ''))
         print(p.get('source_ref', ''))
         print(p.get('source_path', ''))
         break
-" 2>/dev/null || echo "")
+" <<< "$REGISTRY_JSON" 2>/dev/null || echo "")
 
   SOURCE_REPO=$(echo "$PACK_INFO" | sed -n '1p')
   SOURCE_REF=$(echo "$PACK_INFO" | sed -n '2p')
   SOURCE_PATH=$(echo "$PACK_INFO" | sed -n '3p')
 
-  if [ -n "$SOURCE_REPO" ] && [ -n "$SOURCE_REF" ]; then
+  if is_safe_source_repo "$SOURCE_REPO" && is_safe_source_ref "$SOURCE_REF" && is_safe_source_path "$SOURCE_PATH"; then
     TMPDIR_PACK=$(mktemp -d)
     TARBALL_URL="https://github.com/${SOURCE_REPO}/archive/refs/tags/${SOURCE_REF}.tar.gz"
     if curl -fsSL "$TARBALL_URL" -o "$TMPDIR_PACK/pack.tar.gz" 2>/dev/null; then
-      tar xzf "$TMPDIR_PACK/pack.tar.gz" -C "$TMPDIR_PACK" 2>/dev/null
-      EXTRACTED=$(find "$TMPDIR_PACK" -maxdepth 1 -type d ! -path "$TMPDIR_PACK" | head -1)
-      if [ -n "$EXTRACTED" ] && [ -d "$EXTRACTED/${SOURCE_PATH}" ]; then
-        mkdir -p "$PACKS_DIR/$DEFAULT_PACK"
-        cp -r "$EXTRACTED/${SOURCE_PATH}/"* "$PACKS_DIR/$DEFAULT_PACK/"
-        info "Pack '$DEFAULT_PACK' installed to $PACKS_DIR/$DEFAULT_PACK"
+      if tar tzf "$TMPDIR_PACK/pack.tar.gz" | grep -Eq '(^/|(^|/)\.\.(/|$))'; then
+        warn "Pack archive contains unsafe paths; skipping extraction."
       else
-        warn "Could not find pack in downloaded archive."
+        tar xzf "$TMPDIR_PACK/pack.tar.gz" -C "$TMPDIR_PACK" 2>/dev/null
+        EXTRACTED=$(find "$TMPDIR_PACK" -maxdepth 1 -type d ! -path "$TMPDIR_PACK" | head -1)
+        if [ -n "$EXTRACTED" ] && [ -d "$EXTRACTED/${SOURCE_PATH}" ]; then
+          mkdir -p "$PACKS_DIR/$DEFAULT_PACK"
+          cp -r "$EXTRACTED/${SOURCE_PATH}/"* "$PACKS_DIR/$DEFAULT_PACK/"
+          info "Pack '$DEFAULT_PACK' installed to $PACKS_DIR/$DEFAULT_PACK"
+        else
+          warn "Could not find pack in downloaded archive."
+        fi
       fi
     else
       warn "Could not download pack from registry. You can install packs manually later."

checksums.txt

@@ -0,0 +1,15 @@
+88dbc20a548f9c739b526222c0fc19dc4ec32dffcf1fc1f2353cef6672ece7aa  install.sh
+55198274c3b8a420aa14629a4b62f01b1f3f2deb03bbf411d5564666bc66f768  uninstall.sh
+c98f2c3db6351594203f026b5da052ca28387657e8ca97ebff0c971c1d2d085a  peon.sh
+4c5cdad13d724beea56e3eb87f0a10895edffe648840f6b502f78e89e058c4c8  relay.sh
+9ad599c0dab5ccfef8be663201500b6cb0affe083f59447d680a54300657dbac  completions.bash
+ac253c174720410e10b364014d2d25c5f4b93b7c62978b13782d76a26fdad12d  completions.fish
+cb1d9a30bc4ab8a397f39b7d786bb82aca0b816077eefc35d7c822017d75f6a5  VERSION
+21749ccf66c8878cda11cfd2656a7c1aa94c08a9099d9eb7144a5def9907096b  config.json
+9590f162df32506b09c6e4012f79e3786bcbb0e402a8bdfe87106f8ef8013e87  adapters/codex.sh
+d4cb668ec0ce244d4f1f8b6a0bc828630549d6e6dc1f4e1afe58481aada58f56  adapters/cursor.sh
+7778a5c455b53256db31fcdc14eb49c6436b8d2e43d6d0338183ac2378bafbad  adapters/opencode.sh
+1a7d34971bb43ed685cb8afab7cca7950a59d4159117a9e3e7aa454035fb0490  adapters/opencode/peon-ping.ts
+264c87d9bc5065c725c015e9a30e3ba17e428ec99659ab41723ec9838f335f92  skills/peon-ping-toggle/SKILL.md
+bbb0b6f218d57728f420e7622c09061a6ba60eafb8d32bcb96f4e401a1e39e9e  skills/peon-ping-config/SKILL.md
+efa546bce67316a9cc06736b834b2ec2ab54673c3812378cc456e154b9cc6b85  docs/peon-icon.png