All CI green. Rebased from #3321, added Daytona support, resolved conflicts. Security reviewed: no injection vectors — all env var values come from hardcoded config, shell scripts follow existing patterns.
Tracks whether installs came from Reddit, X, or organic by baking a
ref tag into the install command.
Growth bot shares:
curl -fsSL ... | SPAWN_REF=reddit bash
curl -fsSL ... | SPAWN_REF=x bash
install.sh: if SPAWN_REF is set, sanitizes it (alphanumeric + hyphens,
max 32 chars) and writes to ~/.config/spawn/.ref. Only written once —
never overwritten on updates.
index.ts: on startup, reads .ref and sets it as telemetry context via
setTelemetryContext("ref", ref). Every PostHog event (funnel, lifecycle,
errors) now carries ref=reddit or ref=x for attributed installs, or no
ref for organic.
PostHog query: filter any event by ref=reddit to see "how many Reddit-
sourced users made it through the funnel" vs organic.
Bumps 1.0.15 -> 1.0.16.
Co-authored-by: A <258483684+la14-1@users.noreply.github.com>
Merges 4 separate runner.runServer() calls (model, sandbox, browser,
channel stubs) into one exec with commands chained by `;`. On Sprite
(container-exec, not persistent SSH), many sequential execs exhaust the
connection and cause "connection closed" / "context deadline exceeded"
on later steps like gateway startup.
Before: 4 execs → 14 "Config overwrite" log lines → flaky connection
After: 1 exec → same config result → stable connection for gateway
Individual commands use `;` not `&&` so a failure in one (e.g. browser
path not found) doesn't skip the rest — these are all non-fatal prefs.
Bumps 1.0.15 -> 1.0.16.
Phase 2+3 of the token-savings plan (follows #3310 which reduced cron
frequency and downgraded team leads to Sonnet).
Extracts duplicated rules into _shared-rules.md (72 lines) and moves
teammate-specific protocols into individual micro-prompts that team
leads read on-demand via Read tool instead of carrying in every turn.
New: _shared-rules.md + teammates/ directory (16 files, 246 lines)
Rewritten: 4 team prompts from 1,199 total lines to 243 (80% reduction)
refactor-team-prompt.md 319 -> 67 (79%)
security-review-all-prompt.md 245 -> 64 (74%)
qa-quality-prompt.md 302 -> 43 (86%)
discovery-team-prompt.md 333 -> 69 (79%)
Also merges shell-scanner + code-scanner into one scanner teammate
for security reviews (4 -> 3 teammates per cycle).
Co-authored-by: A <258483684+la14-1@users.noreply.github.com>
* feat(growth): add Phase 0 — daily tweet draft + X mention engagement
Adds a new Phase 0 to the growth agent cycle that runs before Reddit
scanning:
Phase 0a — Tweet Draft (always runs):
- Gathers last 7 days of git commits
- Claude drafts a single ≤280 char tweet about features, fixes, or best
practices
- Posts Block Kit card to #C0ARSCAP4MN with Approve/Edit/Skip buttons
Phase 0b — X Mention Search (runs only if X_API_KEY is set):
- x-fetch.ts searches X API v2 for Spawn/OpenRouter mentions
- Claude scores mentions and drafts engagement replies
- Posts engagement card to #C0ARSCAP4MN with approval buttons
- Gracefully skips when no X credentials are configured
All cards require human approval — nothing is ever auto-posted.
New files:
- tweet-prompt.md: Claude prompt for tweet generation
- x-engage-prompt.md: Claude prompt for X engagement scoring
- x-fetch.ts: X API v2 search client with OAuth 1.0a
Modified files:
- growth.sh: Phase 0a + 0b insertion, cleanup trap updates
- helpers.ts: tweets table schema, TweetRow CRUD, logTweetDecision()
- main.ts: TweetPayloadSchema, XEngagePayloadSchema, postTweetCard(),
postXEngageCard(), 8 new Slack action handlers
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update URL format in tweet prompt guidelines
Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com>
* Update URL for Spawn reference in engagement prompt
Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com>
---------
Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com>
Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Ahmed Abushagur <ahmed@abushagur.com>
Claude scoring phase has been timing out at the 600s mark when
processing 500+ Reddit posts. Bump to 1800s (30 min) to give
enough headroom for large post sets.
Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
"spawn connect" is not a valid top-level CLI command — users following
this guidance after SSH reconnect failure would see "Unknown agent or
cloud: connect". Replace with "spawn last" which correctly reconnects
to the most recent spawn.
Agent: ux-engineer
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Two high-impact, zero-risk changes to get daily agent team spend under $50:
1. Reduce cron frequency:
- Security: */30 → every 4 hours (48→6 cycles/day, 87% reduction)
- Refactor: */15 → every 2 hours (96→12 cycles/day, 87% reduction)
Most cycles find nothing to do (no new PRs/issues). Issue-triggered runs
(on labeled issues) still fire instantly via the `issues` event type,
so response time to real work is unchanged. The trigger-server already
returns 409 when a cycle is in-progress, so high cron frequency was just
idle-polling cost.
2. Downgrade team-lead model from Opus to Sonnet:
- Security: --model sonnet for review_all and scan modes (triage was
already using gemini-3-flash-preview)
- Refactor: --model sonnet
The team lead's job is coordination — spawn teammates, monitor them,
shut down. This is routing, not reasoning. Sonnet handles it fine and
its output tokens are ~5x cheaper than Opus. Teammates (spawned by the
lead) use their own model flags and are unaffected.
Combined effect: ~90% fewer cycles × ~80% cheaper per cycle on the team
lead = estimated 95%+ cost reduction on team-lead tokens alone.
Follow-up PR will trim prompt sizes (Phase 2) and consolidate security
teammates (Phase 3) per the plan, but this Phase 1 closes most of the gap.
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
KNOWN_AGENTS was missing pi and cursor, so `spawn link` could not
auto-detect these agents on remote servers. Also adds a binary-name
mapping for cursor (whose CLI binary is `agent`).
Bump CLI to 1.0.14.
Agent: code-health
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Two bugs from the #3305 rollout:
1. Test pollution: orchestrate.test.ts imports runOrchestration directly
and never calls initTelemetry, but _enabled defaulted to true in the
module so captureEvent happily fired real events at PostHog tagged
agent=testagent. The onboarding funnel filled up with CI fixture data.
2. Funnel started too late: funnel_* events fired inside runOrchestration,
which is only called AFTER the interactive picker completes. Users who
bail at the agent/cloud/setup-options/name prompts were invisible —
yet that's exactly where real drop-off happens.
Fix 1 — telemetry.ts:
- Default _enabled = false. Nothing fires until initTelemetry is
explicitly called. Production (index.ts) calls it; tests that need
telemetry (telemetry.test.ts) call it with BUN_ENV/NODE_ENV cleared.
- Belt-and-suspenders: initTelemetry now short-circuits when
BUN_ENV === "test" || NODE_ENV === "test", so even if future code
calls it from a test context, events stay local.
Fix 2 — picker instrumentation:
New events fired before runOrchestration in every entry path:
spawn_launched { mode: interactive | agent_interactive | direct | headless }
menu_shown / menu_selected / menu_cancelled (only when user has prior spawns)
agent_picker_shown
agent_selected { agent } — also sets telemetry context
cloud_picker_shown
cloud_selected { cloud } — also sets telemetry context
preflight_passed
setup_options_shown
setup_options_selected { step_count }
name_prompt_shown
name_entered
picker_completed
Wired into:
commands/interactive.ts cmdInteractive + cmdAgentInteractive
commands/run.ts cmdRun (direct `spawn <agent> <cloud>`)
cmdRunHeadless (only spawn_launched)
runOrchestration's existing funnel_* events continue to fire unchanged.
The final funnel in PostHog:
spawn_launched → agent_selected → cloud_selected → preflight_passed
→ setup_options_selected → name_entered → picker_completed
→ funnel_started → funnel_cloud_authed → funnel_credentials_ready
→ funnel_vm_ready → funnel_install_completed → funnel_configure_completed
→ funnel_prelaunch_completed → funnel_handoff
Tests:
- telemetry.test.ts: 2 new env-guard tests (BUN_ENV, NODE_ENV), plus
updated beforeEach to clear both env vars so existing tests still
exercise initTelemetry.
- Full suite: 2131/2131 pass, biome 0 errors.
Bumps 1.0.12 -> 1.0.13 (patch — auto-propagates under #3296 policy).
Restructure temp file write-execute-cleanup in performAutoUpdate so
cleanup is unconditionally reached after tryCatch captures any exec
error. Previously, the Windows and Unix paths each had separate
tryCatch+cleanup+rethrow sequences that could diverge under future
edits. Now a single tryCatch wraps the platform-branching exec, with
cleanup always running before any error is re-thrown.
Fixes#3306
Agent: security-auditor
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(telemetry): funnel + lifecycle events for onboarding drop-off
Adds low-volume, high-signal product events on top of the existing
errors/warnings telemetry (shared/telemetry.ts). Answers "where do users
bail before reaching a running agent" at the fleet level.
Funnel events (in orchestrate.ts, both fast and sequential paths):
funnel_started pipeline begins
funnel_cloud_authed cloud.authenticate() ok
funnel_credentials_ready OR key + preProvision resolved
funnel_vm_ready VM booted and SSH-reachable
funnel_install_completed agent install succeeded (tarball or live)
funnel_configure_completed agent.configure() ran
funnel_prelaunch_completed gateway / dashboard / preLaunch hooks done
funnel_handoff about to launch TUI (final step)
Every event carries elapsed_ms since funnel_started, plus agent and cloud
via telemetry context. Per-step counts reveal the drop-off funnel in
PostHog without touching any PII.
Lifecycle events (new shared/lifecycle-telemetry.ts):
spawn_connected { spawn_id, agent, cloud, connect_count, date }
fired from list.ts when the user reconnects via the interactive picker.
Increments connection.metadata.connect_count and writes last_connected_at
so subsequent events and the eventual spawn_deleted have the total.
spawn_deleted { spawn_id, agent, cloud, lifetime_hours, connect_count, date }
fired from delete.ts (both interactive confirmAndDelete and headless
cmdDelete loop) after a successful cloud destroy. lifetime_hours is
computed from SpawnRecord.timestamp to now. Clamped at 0 for corrupt
clocks. connect_count is read from metadata.
New captureEvent(name, properties) helper in telemetry.ts:
- Respects SPAWN_TELEMETRY=0 opt-out (no new flag)
- Runs every string property through the existing scrubber (API keys,
GitHub tokens, bearer, emails, IPs, base64 blobs, home paths)
- Non-string values pass through untouched
Tests: 20 new (15 lifecycle-telemetry + 2 captureEvent + 3 assertion
additions to disabled-telemetry). Full suite: 2129/2129 pass.
Bumps 1.0.10 -> 1.0.11. Patch bump — auto-propagates under #3296 policy.
* fix(test): replace mock.module with spyOn in lifecycle-telemetry tests
mock.module contaminates the global module registry when running under
--coverage, causing telemetry.test.ts and history-cov.test.ts to receive
mocked implementations instead of the real modules. Switch to spyOn with
mockRestore in afterEach so the real modules are preserved across files.
Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
PR #3301 modified packages/cli/src/shared/agent-setup.ts (GitHub token
temp file security fix) but did not bump the CLI version. Without this
bump, users on auto-update won't receive the security fix.
Agent: team-lead
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(security): use temp file for GitHub token to avoid process listing exposure
Fixes#3300
Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix(security): pass GitHub token via heredoc instead of local temp file
The previous fix wrote the token to a temp file on the LOCAL host, but
the command string was executed on the REMOTE server via runner.runServer(),
so `cat` would fail with 'No such file or directory'. Switch to a heredoc
which is parsed by the remote shell and never appears in /proc/*/cmdline.
Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix(security): upload token to remote via SCP instead of heredoc
The previous heredoc approach (`cat <<'EOF'`) doesn't work because all
cloud runners wrap commands in `bash -c ${shellQuote(cmd)}`, and heredocs
are not valid inside single-quoted bash -c strings.
Use runner.uploadFile() (SCP) to place the token on the remote server as
a temp file (mode 0600), then cat+rm it in the remote command. This is
the same proven pattern used by uploadConfigFile(). The local temp file
is always cleaned up after upload, and the remote temp file is cleaned up
both on success (inline rm) and on failure (best-effort rm).
Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Add pre-execution validation of downloaded install scripts to catch
corrupted or truncated downloads. Checks minimum size threshold and
expected shebang/header for the platform. Documents current HTTPS-only
security posture and absence of checksum infrastructure.
Agent: code-health
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
auto-install to same-major.minor bumps. The intent was "give users control
over feature updates" but the effect was "nobody installs security patches"
because the default became notice-only for everything.
This decouples the two ideas and aligns the policy with semver intent:
- PATCH bumps (1.0.5 -> 1.0.7, same major.minor): auto-install always,
no opt-in needed. Patches are reserved for bug fixes and security
hardening. Blast radius is bounded by semver: no behavior changes,
no new features, no breaking changes.
- MINOR / MAJOR bumps (1.0.x -> 1.1.0, 1.x.x -> 2.0.0): respect
SPAWN_AUTO_UPDATE=1 as opt-in. These can contain behavior changes
and users should decide when to move to them.
- SPAWN_NO_AUTO_UPDATE=1: new explicit opt-out for CI environments
or pinned installs that need a fully static CLI.
Caveat — the one-time hurdle: users currently on 1.0.6 won't get 1.0.7
automatically, because they're still running 1.0.6's update-check.ts
which honors the old opt-in gate. Once they reach 1.0.7 via spawn update
(or by setting SPAWN_AUTO_UPDATE=1), every future patch will propagate
automatically and the fleet becomes self-healing on security.
Tests:
- 5 new tests lock in the policy (patch auto without env, minor notice
without env, minor auto with env, major notice without env, explicit
opt-out suppresses patch)
- All 21 update-check tests pass (16 existing + 5 new)
- 2109/2109 total suite
Bumps 1.0.6 -> 1.0.7.
* feat(cli): hermes web dashboard tunnel support
Hermes Agent v0.9.0 ships a local web dashboard (hermes dashboard, default
127.0.0.1:9119) for config / session / skill / gateway management. This wires
Hermes into spawn's existing SSH-tunnel infrastructure so `spawn run hermes`
auto-exposes the dashboard to the user's local browser.
- agent-setup.ts: new startHermesDashboard() helper — session-scoped
background launch via setsid/nohup with a port-ready wait loop. No systemd
(unlike OpenClaw's gateway) because the dashboard only needs to live for
the duration of the spawn session. Falls back gracefully if hermes isn't
in PATH or the dashboard fails to come up.
- Wire preLaunch, preLaunchMsg, and tunnel { remotePort: 9119 } into the
hermes AgentConfig. Mirrors the OpenClaw tunnel pattern at
orchestrate.ts:628 — startSshTunnel + openBrowser happen automatically.
- manifest.json: update hermes notes to mention the dashboard.
- hermes-dashboard.test.ts: 7 new unit tests verifying the deploy script
calls `hermes dashboard --port 9119 --host 127.0.0.1 --no-open`, checks
all three port-probe fallbacks (ss / /dev/tcp / nc), uses setsid+nohup,
waits for the port, and does NOT install a systemd unit.
- Bump cli version 1.0.6 -> 1.0.7.
Closes#3293
* chore: bump cli to 1.0.8 to leave 1.0.7 for #3296
---------
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
Closes a batch of real security findings filed against growth.sh and reddit-fetch.ts.
growth.sh:
- Switch all four `bun -e "...${VAR}..."` sites to env-var passing
(_VAR="..." bun -e 'process.env._VAR'), per .claude/rules/shell-scripts.md.
Closes#3188, #3221, #3223.
- Spawn claude under `setsid` so it owns its own process group, and kill the
group via `kill -SIG -PGID` instead of racing with pkill -P. Adds a numeric
guard on CLAUDE_PID. Closes#3193, #3205.
- POST to SPA with Authorization header loaded from a 0600 temp config file
(-K) and body from a 0600 temp file instead of here-string, so
SPA_TRIGGER_SECRET never appears in ps/cmdline. Closes#3224.
- Drop dead REDDIT_JSON=$(cat ...) line.
- Extend cleanup trap to also remove CLAUDE_OUTPUT_FILE, SPA_AUTH_FILE, SPA_BODY_FILE.
reddit-fetch.ts:
- Validate REDDIT_CLIENT_ID / REDDIT_CLIENT_SECRET don't contain ':' or CRLF
(prevents Basic-auth corruption and header injection). Closes#3198.
- Validate REDDIT_USERNAME against Reddit's charset before interpolating into
the User-Agent header (prevents CRLF injection). Closes#3207.
- Validate Reddit-API-returned author names against the same charset and
encodeURIComponent them before interpolating into the /user/ API path
(prevents path traversal from a hostile Reddit username). Closes#3202.
Replace `mock()` + `spyOn().mockImplementation(mockFn)` pattern with
direct `spyOn().mockImplementation(() => ...)` to fix fetch mock type
mismatches. Make execFileSync mocks return Buffer.from("") instead of
void. Add explicit type annotations for callback parameters.
Agent: code-health
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
When refactor team agents get stuck (in-process, never respond to
shutdown_request), TeamDelete fails with "Cannot cleanup team with N
active member(s)". The team lead was left with no instructions on how
to proceed, causing the cycle to hang.
Fix: update step 4 of the shutdown sequence to:
1. Call TeamDelete (proceed regardless of success or failure)
2. Manually remove team files as fallback:
rm -f ~/.claude/teams/spawn-refactor.json
rm -rf ~/.claude/tasks/spawn-refactor/
3. Run git worktree prune + rm -rf worktree in same turn
4. Output plain text and stop (no further tool calls)
Also update the EXCEPTION note for consistency with the new step 4 wording.
Fixes#3281
Agent: issue-fixer
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Adds the Daytona icon (from their GitHub org avatar) so the cloud
picker shows a proper logo instead of a text "D" placeholder.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
Remove the 1h cache-first path that caused 14-day stale manifests.
Every run now fetches fresh from GitHub (3s timeout). Disk cache is
only used as an offline fallback when the network is unreachable.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
Add validateRemotePath() and shellQuote() to instruction_path handling
in skills.ts, matching the pattern used by uploadConfigFile(). Previously,
remotePath from manifest.json was interpolated directly into shell commands
without validation, allowing path traversal and shell injection via a
malicious instruction_path field.
Closes#3275
Agent: security-auditor
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(security): validate env var keys in skill injection (orchestrate.ts)
Fixes#3269
Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(security): add base64 validation for defense-in-depth in skill env injection
Add validation of base64-encoded values to match the existing pattern
in injectEnvVarsToRunner (line 518), providing defense-in-depth even
though base64 output is highly unlikely to contain invalid characters.
Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(security): base64-encode entire skill env payload before shell interpolation
Matches the injectEnvVarsToRunner pattern: base64-encode the full payload
and decode on the remote side, eliminating any shell interpolation of
individual env lines. Addresses review feedback on double-evaluation risk.
Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude scoring has been timing out since Apr 10 — the 5-min limit
is too tight for 500+ post sets. Bumping to 10 min to match observed
scoring times.
Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- local.ts: spread ReadonlyArray into mutable array for Bun.spawn
- run.ts: capture optional fields in local vars for proper narrowing
- delete.ts: filter SpawnRecordSchema output for required id field
Agent: code-health
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
When in-process teammates get stuck and never respond to
shutdown_request, the team lead was previously instructed to
"NEVER exit without shutting down all teammates first" and to
"send it again" indefinitely. This creates an infinite loop that
blocks TeamDelete and the non-interactive harness.
This fix:
- Replaces "NEVER exit" with a 3-round max-retry policy
- After 3 unanswered shutdown_requests (≈6 min), mark teammate
as non-responsive and proceed to TeamDelete without waiting
- Fixes time budget inconsistency in Monitor Loop section
(was "10/12/15 min", now matches Time Budget "20/23/25 min")
Fixes#3261
Agent: issue-fixer
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: replace plan_mode_required with message-based approval in refactor team
Agents spawned with plan_mode_required in non-interactive (-p) mode hang
indefinitely waiting for human UI approval that never arrives. While blocked
in the plan approval loop, they cannot process shutdown_request messages,
which prevents TeamDelete from completing cleanly.
This is the third occurrence of the same bug: #3244 (security-auditor),
#3249 (code-health), #3256 (security-auditor again).
Fix: proactive teammates now use message-based plan approval instead of
plan_mode_required. They send their plan proposal to the team lead via
SendMessage, wait up to 3 minutes for an "Approved" reply, and proceed
only if approved. This is fully compatible with non-interactive mode.
Fixes#3256
Agent: issue-fixer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: correct version bump to 1.0.2 and restore stdin sanitization placeholder
Address security review on PR #3257:
- Fix version: downgrade from 1.0.1→1.0.0 was wrong, correct to 1.0.2
- Note: sanitizeStdinInput() restoration requires additional review
Agent: team-lead
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
CLI plumbing for the skills feature. The skills catalog in manifest.json
is populated by the discovery scout (#3252), not manually curated.
Flow:
1. User runs `spawn claude hetzner --beta skills`
2. Skills picker shows available skills for that agent (from manifest.json)
3. User selects skills, enters required env vars (GITHUB_TOKEN, etc.)
4. During provisioning, skills are installed on the VM:
- MCP servers → merged into agent's config (settings.json, mcp.json)
- Instruction skills → SKILL.md written to agent's skills directory
- Prerequisites → apt packages, Chrome, etc. installed first
5. Env vars appended to .spawnrc for MCP server runtime access
Headless: SPAWN_SELECTED_SKILLS=github-mcp,context7 spawn claude hetzner
Supports: Claude Code, Cursor (native MCP config), all other agents
(generic mcp.json fallback).
Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Strips non-printable control characters (except tab/newline/CR) from
user Slack messages before writing to the claude CLI subprocess stdin.
Also enforces a 100KB size limit to prevent memory abuse.
Fixes#3192
Agent: team-lead
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Two changes to update behavior:
1. Auto-update is now opt-in via SPAWN_AUTO_UPDATE=1 (default: notify only)
2. Even with auto-update on, only patch versions install automatically
(e.g. 1.0.0 → 1.0.5 yes, 1.0.0 → 1.1.0 no)
This pins users to a stable major.minor — bug fixes flow automatically
but new features require an explicit `spawn update`.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tarballs are built with /root/ paths. On non-root VMs (Sprite), the old
approach extracted to /root/ with sudo, then mirrored files to $HOME/.
This failed on Sprite which doesn't have sudo.
New approach: use tar --transform to remap /root/ → $HOME/ during
extraction. No sudo needed, no mirror step. Falls back to sudo extract
for clouds with passwordless sudo (AWS, GCP).
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add basename() call before the character-allowlist regex in downloadSlackFile()
to ensure directory traversal sequences (../../) are removed before the file
is written to disk, even though the subsequent regex also strips '/'. Defense
in depth for path traversal via Slack-controlled filenames (fixes#3195).
Agent: code-health
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixes#3250
The unbounded quantifier {40,} with word boundary \b caused exponential
backtracking on long non-matching strings. Adding {40,100} upper bound
and removing \b prevents catastrophic backtracking.
Agent: security-auditor
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* test(telemetry): add unit tests for PII scrubbing and PostHog payload structure
Agent: code-health
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix(test): drain stale telemetry events before each test to fix CI flake
The telemetry module is a singleton whose event buffer accumulates
across test files. Other tests (e.g. sprite destroy) can leave events
in the buffer that pollute assertions. Drain + clear mock before each
test action to isolate test state.
---------
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
PostHog's /batch/ endpoint requires distinct_id inside each event's
properties object, not at the event level. Events were silently dropped.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pullChildHistory was awaited after the interactive session, blocking
process.exit() for up to 5+ minutes while it SSHed back into the VM.
This is a convenience feature for `spawn tree` — it should never make
the user wait.
Changed to fire-and-forget: process.exit() fires immediately,
killing any in-flight SSH calls. Headless mode still awaits it
since there's no user waiting.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sends CLI errors, warnings, and crashes to PostHog for observability.
Strictly error/warning events — no command tracking or session events.
All messages are scrubbed before sending:
- API keys (sk-or-v1-*, sk-ant-*, key-*)
- GitHub tokens (ghp_*, github_pat_*)
- Bearer tokens
- Email addresses
- IP addresses
- Long tokens (60+ char alphanumeric)
- Base64 blobs (40+ chars)
- Home directory paths (/Users/name → ~/[USER])
Default on. Disable with SPAWN_TELEMETRY=0.
Fire-and-forget with 5s timeout — never blocks the CLI.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The get_provision_timeout and get_agent_timeout functions used printenv with
dynamically constructed variable names, which is fragile across shells and
platforms. Replace with eval-based parameter expansion using the already-
sanitized safe_agent variable (restricted to [A-Za-z0-9_]).
Fixes#3234
Agent: security-auditor
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Set umask 077 before mktemp so the temp .ts file is created with 0600
permissions, preventing other users on shared systems from reading it.
Umask is restored immediately after file creation.
Agent: code-health
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The previous code resolved symlinks via realpath then operated on the
resolved path, leaving a window where an attacker could swap the symlink
target between resolution and rm -rf (CWE-367).
Fix: reject symlinks outright before deletion, perform ownership check
on the original path (not the resolved one), and delete the original
path instead of the resolved path. This eliminates the useful TOCTOU
window since rm -rf on a non-symlink directory doesn't follow symlinks.
Fixes#3233
Agent: security-auditor
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
`openclaw onboard --non-interactive` now defaults to arcee/trinity-large-thinking
instead of using the OpenRouter provider. Always run `openclaw config set
agents.defaults.model.primary` after onboard to ensure openrouter/auto is set.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- isHttpAuthed(): remove length pre-check that leaks TRIGGER_SECRET length
via timing side-channel (CWE-208); wrap timingSafeEqual in try/catch instead
since it throws on length mismatch (fixes#3201)
- startHttpServer(): add token-bucket rate limiter (10 req/min per endpoint)
on /health, /candidate, /reply; returns HTTP 429 when exceeded (fixes#3204)
Agent: security-auditor
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
