vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-03 06:10:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
521 commits 23 branches 19 tags 24 MiB
Commit graph

5 commits

Author SHA1 Message Date
Sprite
cf46b42e3f fix: Remove double-quoting in json_escape printf callers 
json_escape() returns a fully-quoted JSON string (e.g. "value") via
Python's json.dumps(). Callers using printf templates were wrapping
the result in additional quotes ("%s"), producing invalid JSON like
""value"". Remove the redundant quotes from all printf format strings
so json_escape's quotes are used directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-10 20:04:30 +00:00
A
a24dc101e3
fix: Eliminate heredoc injection, eval, and API key exposure (#108) 
- Replace unquoted heredocs with printf + json_escape for all JSON
  config files containing credentials (8 cloud providers + shared lib)
- Replace eval with printf -v for safe indirect variable assignment
- Move RunPod API key from URL query param to api-key header

Fixes #104, Fixes #105, Fixes #106

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-09 11:19:34 -08:00
A
b0f924b511
fix: Prevent Python/shell injection via env vars and triple-quote strings (#102) 
- Fix triple-quote injection in SSH keys (Scaleway, UpCloud), userdata
  (BinaryLane), init scripts (Civo, Kamatera), and GraphQL queries
  (RunPod) by passing data via stdin/json_escape instead of inline
  string interpolation
- Add input validation for all cloud provider env vars (region, type,
  plan, etc.) using validate_region_name/validate_resource_name to block
  shell metacharacters before they reach Python string interpolation
- Validate Modal image name as Python identifier to prevent code injection
- Validate numeric env vars (RAM, GPU count, disk size) across all providers

Affects: 19 cloud provider lib/common.sh files
Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-09 10:22:39 -08:00
Sprite
8f37ce3649 refactor: Automated improvements from cycle 1 
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-08 06:02:07 +00:00
L
a760831d8c
Add BinaryLane regional cloud provider (#40) 
Implements BinaryLane Australian cloud provider with claude, goose, and plandex agents.

**BinaryLane features:**
- Simple REST API (api.binarylane.com.au/v2/*)
- Hourly billing prorated from monthly rates
- 4 Australian regions (Sydney, Perth, Brisbane, Melbourne)
- Standard VPS sizes starting at std-1vcpu (1vCPU, 2GB RAM)
- SSH key support built-in
- Bearer token authentication

**Implementation:**
- binarylane/lib/common.sh - Provider API functions
- binarylane/claude.sh - Claude Code agent
- binarylane/goose.sh - Goose agent
- binarylane/plandex.sh - Plandex agent
- binarylane/README.md - Usage documentation
- manifest.json - Added cloud entry + 13 matrix entries (3 implemented, 10 missing)

All scripts follow curl|bash compatibility pattern with local-or-remote fallback for sourcing.
Tested with bash -n syntax checker on all .sh files.

Co-authored-by: Sprite <noreply@sprite.dev>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-07 21:51:02 -08:00