security: Fix 3 critical issues from external review round 4 (v2.0.8)

This commit addresses all FAIL/CRITICAL issues identified by Codex and
Gemini verification reviews of v2.0.6 and v2.0.7.

CRITICAL SECURITY FIX #1: Command substitution after secret export
──────────────────────────────────────────────────────────────────────
Issue: External dirname command executed after API key fetch/export,
       enabling PATH poisoning to leak credentials

Codex PoC: Successfully leaked LINUX_FETCHED_SECRET_789 via malicious
           dirname in PATH

Fix: Replaced $(dirname "$var") with ${var%/*} shell builtin
     - bin/glm-mcp-wrapper:161 - npx_dir="${npx_bin%/*}"
     - bin/claude-by-glm:303 - claude_dir="${claude_bin%/*}"

Impact: Eliminates credential leak surface completely by avoiding
        external command execution after secrets are in environment

CRITICAL PORTABILITY FIX #2: realpath -m regression
──────────────────────────────────────────────────────────────────────
Issue: Plain realpath requires paths to exist, breaking:
       - Fresh installations (install dir doesn't exist yet)
       - Clean home scenarios (sessions dir not created yet)
       - First-run validation (paths validated before creation)

Affected: scripts/install.sh:43, scripts/uninstall.sh:46,
          bin/glm-cleanup-sessions:121,125,242,243 (6 locations)

Fix: Added canonicalize_path() function to scripts/common-utils.sh
     - Portable to both GNU (Linux) and BSD (macOS)
     - Works with non-existent paths by canonicalizing parent + basename
     - Falls back gracefully when realpath unavailable
     - Handles recursive parent canonicalization

Impact: Restores installation and cleanup functionality on macOS and
        in all first-run scenarios

CRITICAL FUNCTIONALITY FIX #3: Incomplete nvm/volta support
──────────────────────────────────────────────────────────────────────
Issue: bin/glm-mcp-wrapper was updated for nvm/volta in v2.0.6, but
       bin/claude-by-glm validation was not, blocking nvm/volta users

Fix: Added nvm/volta paths to claude validation trust pattern
     - bin/claude-by-glm:291 - Added "$HOME"/.nvm/*/bin/claude
     - bin/claude-by-glm:291 - Added "$HOME"/.volta/bin/claude
     - Updated error message to include new trusted paths

Impact: nvm/volta users can now use claude-by-glm wrapper without
        "Untrusted claude path" errors

Verification:
─────────────
✅ Syntax checks: PASS (all 7 modified files)
✅ Security scan: PASS (gitleaks found no issues)
✅ Shellcheck: PASS (no new warnings)

Security Properties Maintained:
────────────────────────────────
✅ PATH hardening intact (trusted paths only)
✅ Binary validation enforced (nvm/volta now trusted)
✅ Config isolation preserved (CLAUDE_CONFIG_DIR separation)
✅ No command substitution after secret operations
✅ Path canonicalization prevents traversal attacks

External Review Status:
───────────────────────
Round 4 identified 3 CRITICAL issues in v2.0.6/v2.0.7
All 3 issues now resolved in v2.0.8
Ready for verification review round 5

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: wgsim

VERSION

@@ -1 +1 @@
-2.0.7
+2.0.8

bin/claude-by-glm

@@ -287,20 +287,22 @@ EOF
     claude_bin="$(command -v claude)" || handle_error "claude binary not found in PATH"
 
     # Validate claude is in a trusted location to prevent PATH poisoning
+    # Support nvm/volta installations as well
     case "$claude_bin" in
-        /usr/bin/claude|/usr/local/bin/claude|/opt/homebrew/bin/claude|"$HOME/.claude-glm-mcp/bin/claude")
+        /usr/bin/claude|/usr/local/bin/claude|/opt/homebrew/bin/claude|"$HOME/.claude-glm-mcp/bin/claude"|"$HOME"/.nvm/*/bin/claude|"$HOME"/.volta/bin/claude)
             # Trusted path - continue
             ;;
         *)
-            handle_error "Untrusted claude path: $claude_bin (expected in /usr/bin, /usr/local/bin, /opt/homebrew/bin, or ~/.claude-glm-mcp/bin)"
+            handle_error "Untrusted claude path: $claude_bin (expected in /usr/bin, /usr/local/bin, /opt/homebrew/bin, ~/.claude-glm-mcp/bin, ~/.nvm/*/bin, or ~/.volta/bin)"
             ;;
     esac
 
     # Use minimal trusted PATH to prevent PATH poisoning attacks
     # Include claude_bin directory to support nvm/volta users
     # Don't use exec - let trap cleanup run on exit
+    # Use shell builtin to avoid command execution after secret fetch
     local claude_dir
-    claude_dir="$(dirname "$claude_bin")"
+    claude_dir="${claude_bin%/*}"
 
     env -i \
         PATH="/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/homebrew/bin:$HOME/.claude-glm-mcp/bin:$claude_dir" \

bin/glm-cleanup-sessions

@@ -117,12 +117,13 @@ EXPECTED_BASE="$HOME/.claude-glm"
 SESSIONS_DIR="${CLAUDE_CONFIG_DIR:-$EXPECTED_BASE}/glm-sessions"
 
 # Validate sessions directory is within expected location (prevent path manipulation)
+# Use portable canonicalization that works with non-existent directories
 if command -v realpath &>/dev/null; then
-    canonical_dir="$(realpath "$SESSIONS_DIR" 2>/dev/null)" || {
+    canonical_dir="$(canonicalize_path "$SESSIONS_DIR")" || {
         print_error "Cannot resolve sessions directory: $SESSIONS_DIR"
         exit 1
     }
-    canonical_expected="$(realpath "$EXPECTED_BASE/glm-sessions" 2>/dev/null)" || {
+    canonical_expected="$(canonicalize_path "$EXPECTED_BASE/glm-sessions")" || {
         print_error "Cannot resolve expected directory"
         exit 1
     }
@@ -237,9 +238,10 @@ if [[ ${#DELETE_SESSIONS[@]} -gt 0 ]]; then
         session_file="$SESSIONS_DIR/$session_id.json"
 
         # Canonicalize path and verify it's within SESSIONS_DIR
+        # Use portable canonicalization that works with non-existent files
         if command -v realpath &>/dev/null; then
-            canonical_path="$(realpath "$session_file" 2>/dev/null || echo "$session_file")"
-            canonical_dir="$(realpath "$SESSIONS_DIR" 2>/dev/null || echo "$SESSIONS_DIR")"
+            canonical_path="$(canonicalize_path "$session_file" || echo "$session_file")"
+            canonical_dir="$(canonicalize_path "$SESSIONS_DIR" || echo "$SESSIONS_DIR")"
 
             if [[ "$canonical_path" != "$canonical_dir"/* ]]; then
                 print_error "Session path outside sessions directory: $session_id"

bin/glm-mcp-wrapper

@@ -157,8 +157,9 @@ main() {
     # Execute the MCP server with sanitized environment
     # Only pass essential variables to prevent leakage
     # Note: npx_bin already validated, so we include its directory in PATH
+    # Use shell builtin to avoid command execution after secret export
     local npx_dir
-    npx_dir="$(dirname "$npx_bin")"
+    npx_dir="${npx_bin%/*}"
 
     exec env -i \
         PATH="/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/homebrew/bin:$npx_dir" \

scripts/common-utils.sh

@@ -54,6 +54,51 @@ handle_error() {
     exit 1
 }
 
+# Portable path canonicalization that works with non-existent paths
+# Works on both GNU (Linux) and BSD (macOS) systems
+# Args: $1 - path to canonicalize (may or may not exist)
+# Returns: canonical absolute path via stdout, or empty on error
+canonicalize_path() {
+    local target="$1"
+
+    # Empty path is invalid
+    [[ -n "$target" ]] || return 1
+
+    # If realpath not available, return as-is
+    if ! command -v realpath &>/dev/null; then
+        echo "$target"
+        return 0
+    fi
+
+    # If path exists, use realpath directly
+    if [[ -e "$target" ]]; then
+        realpath "$target" 2>/dev/null || return 1
+        return 0
+    fi
+
+    # Path doesn't exist - canonicalize parent + basename
+    # This is portable to both GNU and BSD realpath
+    local parent
+    local basename
+    parent="$(dirname "$target")"
+    basename="$(basename "$target")"
+
+    # Canonicalize parent directory (which should exist or be /)
+    local canonical_parent
+    if [[ "$parent" == "." ]]; then
+        canonical_parent="$(pwd)"
+    elif [[ -e "$parent" ]]; then
+        canonical_parent="$(realpath "$parent" 2>/dev/null)" || return 1
+    else
+        # Parent doesn't exist either - recursively canonicalize
+        canonical_parent="$(canonicalize_path "$parent")" || return 1
+    fi
+
+    # Combine canonical parent with basename
+    echo "${canonical_parent%/}/$basename"
+    return 0
+}
+
 # ============================================================================
 # OS Detection
 # ============================================================================

scripts/install.sh

@@ -37,16 +37,12 @@ validate_install_dir() {
         return 1
     fi
 
-    # Canonicalize if realpath available
+    # Canonicalize path (works with non-existent paths on both GNU/BSD)
     local canonical_dir
-    if command -v realpath &>/dev/null; then
-        canonical_dir="$(realpath "$raw")" || {
-            print_error "Cannot resolve INSTALL_DIR: $raw"
-            return 1
-        }
-    else
-        canonical_dir="$raw"
-    fi
+    canonical_dir="$(canonicalize_path "$raw")" || {
+        print_error "Cannot resolve INSTALL_DIR: $raw"
+        return 1
+    }
 
     # Reject unsafe directories
     local canonical_home

scripts/uninstall.sh

@@ -40,16 +40,12 @@ validate_install_dir() {
         return 1
     fi
 
-    # Canonicalize if realpath available
+    # Canonicalize path (works with non-existent paths on both GNU/BSD)
     local canonical_dir
-    if command -v realpath &>/dev/null; then
-        canonical_dir="$(realpath "$raw")" || {
-            print_error "Cannot resolve INSTALL_DIR: $raw"
-            return 1
-        }
-    else
-        canonical_dir="$raw"
-    fi
+    canonical_dir="$(canonicalize_path "$raw")" || {
+        print_error "Cannot resolve INSTALL_DIR: $raw"
+        return 1
+    }
 
     # Reject unsafe directories
     local canonical_home