vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-05 23:50:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
357 commits 25 branches 19 tags 24 MiB
Commit graph

4 commits

Author SHA1 Message Date
A
5db68ea8d8
refactor: Extract helpers from long cloud provider functions (#112) 
- runpod: Extract wait_for_pod_ready() from create_server() (96 -> 44 lines)
- latitude: Extract extract_latitude_server_ip() from wait_for_server_ready() (72 -> 38 lines)
- kamatera: Extract parse_command_ids() and get_kamatera_server_ip() from create_server() (164 -> 77 lines)
- kamatera: Deduplicate command ID parsing between create_server and destroy_server

Agent: complexity-hunter

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-02-09 19:25:53 -08:00
A
a24dc101e3
fix: Eliminate heredoc injection, eval, and API key exposure (#108) 
- Replace unquoted heredocs with printf + json_escape for all JSON
  config files containing credentials (8 cloud providers + shared lib)
- Replace eval with printf -v for safe indirect variable assignment
- Move RunPod API key from URL query param to api-key header

Fixes #104, Fixes #105, Fixes #106

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-09 11:19:34 -08:00
A
b0f924b511
fix: Prevent Python/shell injection via env vars and triple-quote strings (#102) 
- Fix triple-quote injection in SSH keys (Scaleway, UpCloud), userdata
  (BinaryLane), init scripts (Civo, Kamatera), and GraphQL queries
  (RunPod) by passing data via stdin/json_escape instead of inline
  string interpolation
- Add input validation for all cloud provider env vars (region, type,
  plan, etc.) using validate_region_name/validate_resource_name to block
  shell metacharacters before they reach Python string interpolation
- Validate Modal image name as Python identifier to prevent code injection
- Validate numeric env vars (RAM, GPU count, disk size) across all providers

Affects: 19 cloud provider lib/common.sh files
Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-09 10:22:39 -08:00
L
2364458f36
Add RunPod GPU cloud provider (#39) 
* Add RunPod GPU cloud provider with all 13 agent scripts

- runpod/lib/common.sh: GraphQL API wrapper, pod creation/termination,
  SSH connectivity (direct TCP or proxy via ssh.runpod.io)
- 13 agent scripts: claude, openclaw, nanoclaw, aider, goose, codex,
  interpreter, gemini, amazonq, cline, gptme, opencode, plandex
- runpod/README.md with usage docs and environment variable reference
- manifest.json: RunPod cloud entry + all matrix entries as implemented

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add UpCloud cloud provider with all 13 agent scripts

- upcloud/lib/common.sh: UpCloud API wrapper with Basic Auth, server
  provisioning, SSH connectivity, base tool installation
- 13 agent scripts: claude, openclaw, nanoclaw, aider, goose, codex,
  interpreter, gemini, amazonq, cline, gptme, opencode, plandex
- upcloud/README.md with usage docs and env var reference
- manifest.json updated with UpCloud cloud entry and 13 matrix entries

UpCloud uses HTTP Basic Auth (username:password) instead of Bearer tokens.
Servers are provisioned via POST /1.3/server with SSH keys injected via
login_user. Ubuntu template UUID is dynamically resolved from the API.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Sprite <noreply@sprite.dev>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-07 21:43:10 -08:00