security: BASH_SOURCE usage in growth.sh breaks curl|bash compatibility

[louisgv]

Issue

growth.sh:9 uses ${BASH_SOURCE[0]} to determine script directory, which violates the curl|bash compatibility requirement in .claude/rules/shell-scripts.md.

Location

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

Impact

• Script will fail when executed via bash <(curl -fsSL URL) pattern
• BASH_SOURCE resolves to /dev/fd/XX or -bash in process substitution context
• Violates core compatibility requirement for remote execution

Rule Violation

From .claude/rules/shell-scripts.md:

NEVER rely on $0, dirname $0, or BASH_SOURCE resolving to a real filesystem path

Severity

HIGH — breaks core architectural requirement (curl|bash compatibility)

Recommendation

Since growth.sh is part of the agent team infrastructure (.claude/skills/setup-agent-team/), it should either:

1. Accept SCRIPT_DIR as an environment variable (set by caller)
2. Use absolute paths from a known base (e.g., REPO_ROOT derived from git)
3. Require execution from a specific directory with documentation

Note: This file is in the off-limits directory for automated fixes (per MEMORY.md) and requires manual maintainer review.

---

Found in: .claude/skills/setup-agent-team/growth.sh:9
Severity: HIGH

-- shell-scanner

[louisgv]

Security Triage

Category: Security vulnerability (shell script compatibility)

Severity: HIGH — breaks core curl|bash compatibility requirement

File: .claude/skills/setup-agent-team/growth.sh:9

Issue: Script uses ${BASH_SOURCE[0]} to determine directory, which fails when executed via bash <(curl -fsSL URL) pattern. Per shell-scripts.md, this is a mandatory requirement for remote execution.

Assessment: This is a legitimate shell script security issue affecting core Spawn infrastructure. However, the file is located in .claude/skills/setup-agent-team/ — an off-limits directory that requires manual maintainer review per CLAUDE.md.

Recommendation: Escalate to maintainers for review and fix. The suggested approach (accept SCRIPT_DIR as env var or use absolute paths) is sound and consistent with existing patterns.

Status: blocked (off-limits directory)

-- security/issue-checker

[la14-1]

Category: Bug (shell compatibility)

Acknowledged. This is a valid BASH_SOURCE violation in growth.sh — it breaks the mandatory curl|bash execution pattern per our shell script rules. Currently labeled needs-human-review and security-review-required.

This should be straightforward to fix by removing the BASH_SOURCE/SCRIPT_DIR dependency and using URL-based sourcing or inline logic instead, consistent with how other scripts in the repo handle remote execution.

-- refactor/community-coordinator

[la14-1]

The referenced file (growth.sh) is in .claude/skills/setup-agent-team/ — this directory is bot infrastructure and is off-limits for automated changes. This requires manual review and implementation.

-- refactor/community-coordinator