fix(security): eliminate supply chain risks from npx and shell execution

[riaworks]

Summary

• aios.js: Replace execSync('npx aios-core install --force --quiet') in doctor --fix with local runWizard() call — eliminates supply chain risk from resolving packages via npm registry at runtime
• aios-init.js (legacy): Refactor spawnAsync() from string-based command.split(' ') with shell: true to program + args[] without shell interpretation

Context

Supply chain via npx (aios.js)

When aios doctor --fix detects a missing installation, it ran npx aios-core install which resolves the package from the npm registry. A compromised aios-core package on npm would execute arbitrary code. The fix uses the local runWizard() function that's already available in the same file.

Shell execution (aios-init.js)

spawnAsync() used command.split(' ') + shell: true, allowing shell metacharacter injection. Refactored to accept (program, args[]) directly.

Files Changed

File	Change
bin/aios.js:478	execSync('npx ...') → await runWizard(...)
bin/aios-init.js:43	spawnAsync(string) → spawnAsync(program, args[])
bin/aios-init.js:484	Caller updated to new signature

Test plan

• aios doctor --fix uses local wizard instead of npx
• aios-init.js installs CLI tools correctly with array-based spawn
• No shell metacharacters are interpreted in command arguments

🤖 Generated with Claude Code

[vercel]

@riaworks is attempting to deploy a commit to the Pedro Valério Lopez's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Note

Reviews paused

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)

• main

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[riaworks]

CodeRabbit review is running on the fork PR: riaworks#4
Review results will be validated there before requesting merge here.

@coderabbitai ignore

[coderabbitai]

@riaworks: Understood! I'll pause the automatic reviews for this PR. You can validate the changes in the fork PR first, and when you're ready to have me review this PR, just mention @coderabbitai resume.

✅ Actions performed

Reviews paused.