- Fix railway/gptme.sh calling nonexistent inject_env_vars_railway (should be inject_env_vars)
- Railway README: add missing NanoClaw and gptme agent entries
- Northflank README: add missing NanoClaw, Goose, Codex CLI, Open Interpreter, Gemini CLI agent entries and Environment Variables table
- Hyperstack README: restructure to match standard format with Agents section, use openrouter.ai/lab/spawn URLs instead of raw GitHub URLs, add 6 missing agents (Amazon Q, Cline, gptme, OpenCode, Plandex, Kilo Code), add Environment Variables table and Non-Interactive Mode section
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Railway's inject_env_vars passed user-controlled values (e.g. OPENROUTER_API_KEY)
through bash -c without proper escaping, allowing shell injection. Replace with
the safe file-based pattern used by other providers (write to temp file, upload,
append to .bashrc).
Also add remote_path validation to Railway and Modal upload_file functions to
prevent single-quote breakout injection, matching the pattern already used by
Koyeb. Fix gptme.sh reference to non-existent inject_env_vars_railway function.
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implement Render cloud integration with CLI and API support:
- render/lib/common.sh with provider primitives (auth, provision, SSH, upload)
- render/claude.sh for Claude Code deployment
- render/aider.sh for Aider deployment
- Updated manifest.json with Render cloud and 14 matrix entries
- Created README.md with usage documentation
Render offers a developer-first platform with free tier, Docker support,
and SSH access via render CLI. All scripts support OpenRouter integration.
Agent: cloud-scout-1
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
- Fix railway/gptme.sh calling nonexistent inject_env_vars_railway (should be inject_env_vars)
- Fix northflank claude/openclaw/aider using inject_env_vars_local (only writes .zshrc)
instead of inject_env_vars_northflank (writes both .bashrc and .zshrc)
- Update Railway README to list NanoClaw and gptme agents
- Update Northflank README to list all 8 implemented agents and add env var table
- Mark railway/gptme as implemented in manifest.json
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cmdCloudInfo was the only major command function with zero test coverage.
Tests cover happy paths, cloud notes display, empty agents state, error
paths (invalid identifiers, unknown clouds), and typo suggestions.
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Railway: Missing base64 -w0 caused newline injection; unescaped remote_path
in single quotes allowed single-quote breakout command injection. Now uses
base64 -w0 with macOS fallback, printf '%q' for path escaping, and routes
through run_server instead of direct railway run bash -c.
Modal: Remote path was embedded in single quotes without escaping, allowing
single-quote breakout. Now uses printf '%q' for safe path escaping.
Koyeb: Used fragile deny-list validation for remote_path (rejecting specific
characters) and base64 without -w0 flag. Replaced with printf '%q' escaping
and added base64 -w0 with macOS fallback.
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The timeout wrapper was killing cycles prematurely. The trigger
server's RUN_TIMEOUT_MS (75 min) is the safety net if something
truly hangs — no need for a second timeout layer in the script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract helper functions from the two largest create_server functions:
Linode (99 lines -> 30-line orchestrator):
- _linode_fetch_ssh_keys: fetch authorized SSH public keys
- _linode_build_create_payload: build userdata, root password, request body
- _linode_wait_for_active: poll until instance is running
GenesisCloud (92 lines -> 28-line orchestrator):
- _genesis_fetch_ssh_key_ids: fetch SSH key IDs
- _genesis_build_create_payload: build userdata and request body
- _genesis_wait_for_active: poll until instance is active
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The bun build command was failing on proot-distro ubuntu because it couldn't
resolve node_modules dependencies. Added --packages bundle flag to explicitly
bundle all dependencies into the output file.
Fixes#209
Agent: issue-responder
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
json_escape() returns a fully-quoted JSON string (e.g. "value") via
Python's json.dumps(). Callers using printf templates were wrapping
the result in additional quotes ("%s"), producing invalid JSON like
""value"". Remove the redundant quotes from all printf format strings
so json_escape's quotes are used directly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the broken keep-alive ping loop with a fundamentally better
approach: the trigger server now streams the script's stdout/stderr
back as the HTTP response body in chunks. The GH Action holds the
curl connection open for the entire cycle duration (~90 min timeout).
This works because Sprite keeps VMs alive while "actively servicing
HTTP requests." A single long-lived streaming response satisfies
this naturally — no synthetic pings needed.
Key changes:
trigger-server.ts:
- /trigger now returns a streaming text/plain Response
- stdout/stderr piped through ReadableStream with chunked output
- 30s heartbeat lines injected during silent periods
- Client disconnect handled gracefully (process keeps running)
- X-Accel-Buffering: no header to prevent proxy buffering
discovery.yml / refactor.yml:
- curl -sSN --fail-with-body streams output in real-time
- timeout-minutes: 90 to hold the connection for full cycles
- Error responses (429/409/401) still print body and exit cleanly
discovery.sh / refactor.sh:
- Removed all keep-alive logic (start_keepalive/stop_keepalive)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Localhost pings (curl http://localhost:8080/health) bypass the Sprite
proxy entirely and don't register as "actively servicing HTTP requests."
Per Sprite lifecycle rules, VMs pause when there's no inbound HTTP
through the proxy and no detachable session output — so the old
keep-alive was doing nothing.
Now both discovery.sh and refactor.sh resolve the Sprite's public URL
via `sprite-env info` and ping that instead. The request routes through
the Sprite proxy, which counts as real activity and prevents pause.
Also adds keep-alive to discovery.sh (previously had none at all).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The discovery loop was missing stale PR resolution — unlike refactor.sh,
it relied entirely on the Branch Cleaner teammate to handle open PRs
during the cycle. If the cycle timed out or the teammate failed, PRs
would leak across cycles indefinitely.
Now the team lead checks for open provider PRs at three points:
1. Pre-cycle: merge or close stale PRs (>2h old) before launching agents
2. Shutdown: explicit sweep for provider-related PRs before exiting
3. Between cycles: catch anything missed by the shutdown sequence
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implement hyperstack/kilocode.sh script that provisions a Hyperstack VM
and installs Kilo Code with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Implement hyperstack/plandex.sh script that provisions a Hyperstack VM
and installs Plandex with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Koyeb's inject_env_vars used sed escaping that didn't handle single quotes,
allowing API key values containing ' to break out of the shell command string
passed to `koyeb instances exec`. Replace with file-based injection using
generate_env_config + upload_file, matching the safe pattern in shared/common.sh.
Hyperstack goose/gemini/interpreter/codex scripts embedded $OPENROUTER_API_KEY
directly in double-quoted command strings passed to run_server (SSH). Values
containing double quotes, backticks, or $() could execute arbitrary commands
on the remote VM. Replace with inject_env_vars_ssh which writes env vars to a
temp file, uploads via SCP, and appends to shell config without interpolation.
Also hardens Koyeb upload_file to reject remote paths containing shell
metacharacters (', $, `, newline).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Validates that manifest.json is internally consistent and that every
"implemented" matrix entry has a corresponding script file. Catches
configuration drift between manifest.json and the actual file tree.
Tests cover:
- Manifest structure (agents, clouds, matrix top-level keys)
- Agent/cloud definition required fields and naming conventions
- Matrix consistency (valid statuses, complete coverage, no duplicates)
- Script file existence for all implemented entries
- Cloud lib/common.sh existence for clouds with implementations
- Script content basics (shebang, set -eo pipefail, sourcing lib)
- Orphaned script detection (files exist but marked "missing")
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Implement hyperstack/opencode.sh script that provisions a Hyperstack VM
and installs OpenCode with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Users who know their preferred cloud but not which agents are available
had no way to find out. Now `spawn hetzner` shows all agents available
on Hetzner, mirroring how `spawn claude` shows all clouds for Claude.
- Add cmdCloudInfo() showing cloud details + available agents
- handleDefaultCommand detects cloud names and routes to cloud info
- Update help text and clouds list footer to document the new command
- Bump CLI version to 0.2.15
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements Amazon Q CLI on Hyperstack cloud provider. Uses Hyperstack's
VM provisioning API with SSH connectivity. Script installs Amazon Q CLI
via curl|bash, injects OpenRouter credentials as environment variables,
and launches interactive Q chat session.
OpenRouter integration via OPENAI_BASE_URL override pointing to
openrouter.ai/api/v1.
Agent: gap-filler-hyperstack-1
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Implement gptme agent on Hyperstack cloud platform.
- Install via pip/pip3
- Native OpenRouter support via OPENROUTER_API_KEY
- Launch with -m openrouter/${MODEL_ID} flag
- Uses Hyperstack VM provisioning and SSH primitives
- OAuth flow for API key (port 5181)
Agent: gap-filler-hyperstack-3
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
README was 4 clouds behind (missing oracle, vastai, hyperstack, koyeb).
Updated from 21→25 clouds, 294→333 combinations.
Changed discovery.sh team lead instructions: README matrix sync is now
the explicit FIRST step (before spawning teammates) and FINAL step
(after all PRs merged) — assigned to team lead, not vague "one teammate".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename the GitHub workflow, scripts, and service from "improve" to
"discovery" to better reflect what the automation does. Remove the
`spawn improve` CLI command entirely — the discovery/refactor loops
are internal automation, not user-facing CLI features.
File renames:
- .github/workflows/improve.yml → discovery.yml
- .claude/skills/.../improve.sh → discovery.sh
- .claude/skills/.../start-improve.sh → start-discovery.sh
- Service: improve-trigger → discovery-trigger
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Koyeb as a new cloud provider with CLI-based provisioning.
Changes:
- Created koyeb/lib/common.sh with provider primitives
- Implemented koyeb/claude.sh
- Implemented koyeb/aider.sh
- Implemented koyeb/openclaw.sh
- Added Koyeb entry to manifest.json clouds section
- Added matrix entries for all 14 agents
- Created koyeb/README.md with setup instructions
Koyeb features:
- Serverless container platform with per-second billing
- Free tier available (no credit card required)
- Fast deployment times
- Automatic scaling
- Global deployment regions
Agent: cloud-scout-2
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
