From e6f6ae3326ace4887afec7f21f3cb2f9845e1b1b Mon Sep 17 00:00:00 2001
From: Wes Cole <wcole1@godaddy.com>
Date: Thu, 26 Feb 2026 09:12:02 -0500
Subject: [PATCH] chore: add changeset for security hardening fixes

---
 .changeset/curvy-wolves-prove.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 .changeset/curvy-wolves-prove.md

diff --git a/.changeset/curvy-wolves-prove.md b/.changeset/curvy-wolves-prove.md
new file mode 100644
index 0000000..420af0b
--- /dev/null
+++ b/.changeset/curvy-wolves-prove.md
@@ -0,0 +1,11 @@
+---
+"@godaddy/cli": patch
+---
+
+Hardened CLI security in three areas without changing intended workflows:
+
+- Block extension deploy path traversal by validating `handle` and `source` stay within the extension workspace.
+- Quote and escape generated `.env` values to prevent newline/comment-based env injection.
+- Restrict truncation `full_output` dump permissions to owner-only (`0700` dir, `0600` files).
+
+Also adds regression tests covering these protections.