- Adds 30 new test cases covering previously untested functions in commands.ts
- Tests for getStatusDescription, renderMatrix helpers, validation logic
- Tests for error handling functions and download fallback logic
- Tests for agent/cloud validation and implementation checking
- Tests for calculateColumnWidth variations with different parameters
- Tests for isLocalSpawnCheckout file detection logic
This improves test coverage for core command logic that wasn't previously tested,
focusing on pure functions and logic that can be tested without full module mocking.
Agent: test-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
When sprite version output doesn't match the expected format, the message
now omits the version rather than displaying "unknown". Also broadened the
version regex to match versions without 'v' prefix.
Fixes#79
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The redirect `> /dev/null 2>&1` was being escaped by `run_sprite`'s
`printf %q`, causing the command to be interpreted incorrectly:
/usr/bin/bash: line 1: claude install > /dev/null 2>&1: No such file or directory
Removing the redirect allows users to see installation progress and
simplifies the command. Installation success is already verified by
the subsequent check on line 33.
Fixes#80
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Same bug as improve.sh — was cd'ing into the skills directory
instead of the repo root.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
improve.sh was setting REPO_ROOT to its own directory, causing
manifest.json lookups and git commands to fail silently.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added 35 tests covering helper functions in commands.ts
- Tests cover error handling, string validation, column width calculation
- Tests verify renderMatrixRow color selection logic
- Tests validate isLocalSpawnCheckout and report functions
- All 35 new tests pass
- Focus on pure functions and functions with minimal side effects
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Split the 66-line generic_cloud_api function into focused helpers to reduce
complexity and eliminate duplication:
- _parse_api_response: Extracts HTTP code and response body (10 lines)
- _make_api_request: Builds curl args and executes request (27 lines)
- _handle_api_transient_error: Centralizes retry logic for all error types (24 lines)
Main function reduced from 66 to 41 lines (38% reduction). Behavior unchanged:
still retries on network errors and transient HTTP codes (429, 503), with
exponential backoff. All test assertions pass.
This extraction pattern makes it clearer how retry logic flows and easier to
modify error handling in the future without duplicating patterns.
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Post a short, natural thank-you for flagging the issue before
diving into categorization and investigation.
Agent: team-lead
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Skip the generic "thanks for reporting" boilerplate and go straight
to categorizing and investigating the issue.
Agent: team-lead
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SECURITY FIXES:
- Add validate_oauth_port() to prevent command injection via port parameter
- Ensures port is numeric and in range 1024-65535
- Prevents JavaScript injection in OAuth server code
- Add CSRF state parameter to OAuth flow
- Generate random 128-bit state token per session
- Validate state parameter in callback to prevent OAuth code interception
- Display error page if state validation fails
IMPACT:
- Prevents CRITICAL command injection vulnerability (CVE-worthy)
- Prevents HIGH OAuth code stealing attacks via CSRF
TESTING:
- All 101 tests pass (bun test)
- Syntax validated (bash -n)
- No regressions introduced
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Enhance UX across CLI and cloud providers with actionable error messages:
1. Modal sandbox creation failures now provide:
- Detailed error output from Python SDK
- Common causes (auth expired, quota issues, network)
- Step-by-step troubleshooting (re-auth, check quota, status page)
2. Modal CLI installation failures now explain:
- Missing pip/pip3 (with installation commands)
- Permission issues (suggest --user flag)
- Manual installation steps
3. Sprite connectivity failures now include:
- Commands to check sprite status and logs
- Steps to recreate sprite
- Support contact information
4. Sprite CLI installation now:
- Catches installation failures with helpful error messages
- Verifies installation succeeded before proceeding
- Provides manual installation instructions
5. CLI script download failures improved:
- Distinguish between 404 (doesn't exist) and other errors
- Provide specific next steps for each scenario
- Suggest checking matrix for implementation status
All error messages follow the pattern:
- What went wrong
- Why it might have happened (common causes)
- What to do next (actionable steps)
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add `_update_retry_interval()` helper in shared/common.sh to eliminate
repeated backoff interval calculation and cap logic (was copied 10+ times
across cloud provider API wrappers)
- Refactor generic_cloud_api() to use new helper, reducing from 83 to 70 lines
- Refactor scaleway_api() to use new helper, reducing from 66 to 53 lines
- Refactor upcloud_api() to use new helper, reducing from 65 to 52 lines
This reduces cyclomatic complexity by eliminating nested if statements for
interval updates and consolidates the retry backoff logic in one place,
making future maintenance easier and reducing bugs from copy-paste errors.
Agent: complexity-hunter
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
- Modified ensure_sprite_installed() to check if sprite is already installed
- When sprite is found, log version and skip installation
- Prevents unnecessary reinstalls when sprite CLI is already present
Fixes#63
Agent: community-coordinator
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Stale remote branches were showing up because git fetch doesn't prune
deleted remote refs by default. Add --prune to every git fetch call in
improve.sh (main entry, run_team_cycle, run_single_cycle,
cleanup_between_cycles) and refactor.sh.
Agent: team-lead
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Document the mandatory git conventions for all agent team scripts:
always pull main before creating worktrees, use worktrees for parallel
branch work, include Agent: trailers in commits, and clean up worktrees
at end of cycle.
Agent: team-lead
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add branch-cleaner role that cleans stale remote branches (>4 hours):
merges open PRs if mergeable, closes/deletes if stale
- Require Agent: trailer in all commit messages for traceability
- Switch git workflow from checkout -b to worktrees so parallel agents
don't clobber each other's uncommitted changes
- Always git fetch origin main before creating worktrees to ensure
branches start from latest main
- Add worktree setup/teardown to run_team_cycle and cleanup_between_cycles
Agent: team-lead
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add branch-cleaner agent (Haiku) that cleans stale remote branches:
merges open PRs if mergeable, closes/deletes if stale >4 hours
- Require Agent: trailer in all commit messages so we can trace which
agent authored each change
- Switch from git checkout to git worktrees for parallel branch work,
preventing agents from clobbering each other's uncommitted changes
- Update Issue Fix Workflow to use worktree pattern
- Update Workflow with branch cleanup passes and worktree setup/teardown
Agent: team-lead
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ux: Improve error messages and user guidance across CLI and shell scripts
Enhanced error messages to be more actionable and user-friendly:
CLI improvements (commands.ts):
- Made validateNonEmptyString clearer: "is required but was not provided"
- Reordered troubleshooting steps to check matrix first (most common issue)
- Simplified 404 error message: "doesn't exist yet" vs "may not be implemented"
- Changed "Troubleshooting steps" to just "Troubleshooting" (less formal)
Shared library improvements (shared/common.sh):
- OAuth cancellation now explains why API key is needed and where to get it
- safe_read non-TTY error explains what non-interactive mode is with example
- get_resource_name error shows exact env var syntax needed
- Agent verification failures now list specific possible causes
- All improvements add context and next steps rather than just stating the problem
Hetzner library improvements (hetzner/lib/common.sh):
- Replaced technical "Remediation" with friendly "How to fix"
- Changed log_warn to log_error for error conditions (consistent severity)
- Added spacing for better readability of multi-line errors
- Made server creation errors more specific about account issues
All changes focus on helping users understand WHAT went wrong and HOW to fix it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: Replace issue-triager with community-coordinator agent
Replace the issue-triager agent in the refactor team with a
community-coordinator that actively engages with GitHub issues:
acknowledges reports, posts interim updates, delegates to relevant
teammates, and posts final resolutions — so reporters feel heard.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes#59
The instanceof operator can fail in bundled/minified code or when
errors cross execution realm boundaries, causing the error:
"instanceof called on an object with an invalid prototype property"
This commit replaces all instanceof Error checks with duck typing
(checking for object with 'message' property) which is more reliable
across different execution contexts.
Changes:
- index.ts: Updated handleError() and prompt file error handling
- commands.ts: Updated getErrorMessage() helper
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Updated overview to reflect current architecture (public sprite URL
with TRIGGER_SECRET bearer auth, not start service API)
- Added Step 5 for setting sprite URL auth to public
- Updated workflow template to use SPRITE_URL + TRIGGER_SECRET secrets
- Updated secret naming convention to match deployed services
- Added Step 10 for CLI-based end-to-end testing
- Added "Current Deployed Services" reference table
- Fixed all stale references and code samples
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Sprite start service API (/services/{name}/start) returns
"service name required" for all service names — appears to be an API
bug. Switched to hitting the sprite's public URL directly with
TRIGGER_SECRET bearer auth instead.
- Re-added TRIGGER_SECRET auth to trigger-server.ts
- Set sprite url_settings.auth to "public"
- Updated both workflows to use SPRITE_URL + TRIGGER_SECRET pattern
- Aligned workflow structure (both use same env vars and curl format)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use env vars from secrets instead of hardcoded names
- Add issues trigger (opened, reopened)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security:
- Fix command injection in modal/lib/common.sh (run_server, upload_file, interactive_session)
- Fix command injection in fly/lib/common.sh (run_server, upload_file, interactive_session)
- All container providers now use printf '%q' for proper shell escaping
Complexity:
- Extract _api_should_retry_on_error() helper in shared/common.sh (-19 lines)
- Refactor scaleway_api and upcloud_api to use shared retry helper (-24 lines)
- Extract _save_fly_token() helper in fly/lib/common.sh (-11 lines)
- Extract validateAndGetAgent() in commands.ts, reducing cmdRun/cmdAgentInfo duplication
- Refactor cmdList column width calculation to use calculateColumnWidth()
UX:
- Add actionable next steps to error messages in shared/common.sh
- Improve CLI bash fallback error messages with guidance (spawn.sh)
- Add OAuth progress indicator during browser authentication wait
- Show invalid model ID value and link to openrouter.ai/models
- Add troubleshooting steps for agent installation failures
Tests:
- Update test assertions in test/run.sh to match refactored patterns
- All tests passing: 74 TypeScript + 75 bash = 149 total, 0 failures
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sprite API rejects service names with hyphens. Renamed from
improve-trigger to improve_trigger.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SERVICE_NAME env var may conflict with GitHub Actions internals.
Inline the secrets directly in the URL template instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
~/.bun/bin is often NOT in PATH, causing 'command not found' after
install. Now picks the first dir already in PATH from:
1. ~/.local/bin (most universal)
2. $(bun pm bin -g)
3. ~/.bun/bin
4. ~/bin
Also consolidated PATH detection and instructions into shared helpers,
with clear shell-specific instructions when the dir isn't in PATH.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bun link only registers packages for project-level linking — it does
not create global CLI binaries. bun install -g has the same issue.
New approach:
- bun: build cli.js, copy directly to $(bun pm bin -g)/spawn (55KB)
- npm: build with esbuild, copy to $(npm bin -g)/spawn
- Both methods put the binary exactly where the runtime expects it
Also replaced brittle hardcoded file downloads with git sparse-checkout
(with GitHub API fallback), so new source files never break the installer.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The install script had a hardcoded list of source files to download,
which broke whenever a new file was added (e.g., security.ts). Also,
openrouter.ai/lab/spawn served a stale cached version without the fix.
Now uses git sparse-checkout (fast, gets only cli/) with a GitHub API
fallback for environments without git. Adding new source files will
never break the installer again.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
commands.ts imports ./security.js but install.sh never downloaded
security.ts, causing build to fail with "Could not resolve" error.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
package.json bin points to cli.js, but it was never built during
installation. Both bun link and npm install -g failed silently because
the file didn't exist.
- Bun path: run `bun run build` before `bun link`
- npm path: use npx esbuild to bundle cli.js with node shebang
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Sprite start service API returns streaming NDJSON, causing curl -f
to fail with exit code 22. Use duration=0s to return immediately and
drop -f flag since the response is streaming.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sprite may take time to wake from pause, causing --max-time 30 to fail
with exit code 22.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove TRIGGER_SECRET from trigger-server.ts and start-improve.sh
- Auth is handled at the Sprite API level via SPRITE_TOKEN
- Update SKILL.md: remove secret generation step, fix step numbering,
update embedded code and verification examples
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace SPRITE_URL/SPRITE_SECRET pattern with SPRITE_NAME/SERVICE_NAME
- Use Sprite start service API endpoint (api.sprites.dev)
- Share SPRITE_TOKEN across all services
- Update skill documentation to reflect new approach
- Delete deprecated URL/SECRET based secrets
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
