#!/bin/bash # Installer for the spawn CLI # # Usage: # curl -fsSL --proto '=https' https://openrouter.ai/labs/spawn/cli/install.sh | bash # # This installs spawn via bun. If bun is not available, it auto-installs it first. # # Override install directory: # SPAWN_INSTALL_DIR=/usr/local/bin curl -fsSL --proto '=https' ... | bash set -eo pipefail SPAWN_REPO="OpenRouterTeam/spawn" SPAWN_CDN="https://openrouter.ai/labs/spawn" SPAWN_RAW_BASE="https://raw.githubusercontent.com/${SPAWN_REPO}/main" MIN_BUN_VERSION="1.2.0" BUN_INSTALL_VERSION="1.3.9" # SHA-256 of https://bun.sh/install?version=1.3.9 — update when bumping BUN_INSTALL_VERSION BUN_INSTALLER_SHA256="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd" RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BOLD='\033[1m' NC='\033[0m' CYAN='\033[0;36m' log_info() { printf '%b[spawn]%b %s\n' "$GREEN" "$NC" "$1"; } log_step() { printf '%b[spawn]%b %s\n' "$CYAN" "$NC" "$1"; } log_warn() { printf '%b[spawn]%b %s\n' "$YELLOW" "$NC" "$1"; } log_error() { printf '%b[spawn]%b %s\n' "$RED" "$NC" "$1"; } # --- Helper: portable SHA-256 (macOS uses shasum, Linux uses sha256sum) --- sha256_file() { if command -v sha256sum &>/dev/null; then sha256sum "$1" | cut -d' ' -f1 elif command -v shasum &>/dev/null; then shasum -a 256 "$1" | cut -d' ' -f1 else return 1 fi } # --- Helper: compare semver strings --- # Returns 0 (true) if $1 >= $2 version_gte() { local IFS='.' local a=($1) b=($2) local i=0 while [ $i -lt ${#b[@]} ]; do local av="${a[$i]:-0}" local bv="${b[$i]:-0}" if [ "$av" -lt "$bv" ]; then return 1 elif [ "$av" -gt "$bv" ]; then return 0 fi i=$((i + 1)) done return 0 } # --- Helper: ensure bun meets minimum version --- ensure_min_bun_version() { local current current="$(bun --version)" if ! version_gte "$current" "$MIN_BUN_VERSION"; then log_warn "bun ${current} is below minimum ${MIN_BUN_VERSION}, upgrading..." bun upgrade current="$(bun --version)" if ! version_gte "$current" "$MIN_BUN_VERSION"; then log_error "Failed to upgrade bun to >= ${MIN_BUN_VERSION} (got ${current})" echo "" echo "Please upgrade bun manually:" echo " bun upgrade" echo "" echo "Then re-run:" echo " curl -fsSL --proto '=https' ${SPAWN_CDN}/cli/install.sh | bash" exit 1 fi log_info "bun upgraded to ${current}" fi } # --- Helper: check if sudo can authenticate without a password prompt --- # Returns 0 if sudo is passwordless (root, NOPASSWD, or macOS Touch ID). has_passwordless_sudo() { # Already root — no sudo needed [ "$(id -u)" = "0" ] && return 0 # Check if sudo works non-interactively (NOPASSWD or cached credentials) sudo -n true 2>/dev/null && return 0 # macOS: check if Touch ID is configured for sudo (pam_tid.so) if [ -f /etc/pam.d/sudo_local ] && grep -q "pam_tid" /etc/pam.d/sudo_local 2>/dev/null; then return 0 fi if [ -f /etc/pam.d/sudo ] && grep -q "pam_tid" /etc/pam.d/sudo 2>/dev/null; then return 0 fi return 1 } # --- Helper: verify symlink target is safe before overwriting --- # Returns 0 if the path doesn't exist, is not a symlink, or points to a safe location. # Returns 1 if it's a symlink pointing to an unexpected location (potential hijack). # Safe prefixes: $HOME/.local, $HOME/.bun, /usr/local, $HOME/.npm-global verify_symlink_safe() { local target_path="$1" # No file at all — safe to create if [ ! -e "$target_path" ] && [ ! -L "$target_path" ]; then return 0 fi # Not a symlink (regular file or dir) — safe to overwrite with -f if [ ! -L "$target_path" ]; then return 0 fi # It's a symlink — read where it points (portable: readlink without -f) local link_target link_target="$(readlink "$target_path" 2>/dev/null || true)" if [ -z "$link_target" ]; then # Could not read symlink — treat as suspicious return 1 fi # Check against safe prefixes case "$link_target" in "${HOME}/.local/"*|"${HOME}/.bun/"*|"/usr/local/"*|"${HOME}/.npm-global/"*) return 0 ;; *) return 1 ;; esac } # --- Helper: create symlink only if existing target is safe --- # Usage: safe_ln_sf [sudo] # Warns and skips if dest is a symlink pointing to an unexpected location. safe_ln_sf() { local src="$1" local dest="$2" local use_sudo="${3:-}" local name name="$(basename "$dest")" if ! verify_symlink_safe "$dest"; then local existing existing="$(readlink "$dest" 2>/dev/null || true)" log_warn "Skipping ${dest}: existing symlink points to unexpected location (${existing})" log_warn "Remove it manually if you trust the target: rm ${dest}" return 1 fi if [ "$use_sudo" = "sudo" ]; then sudo ln -sf "$src" "$dest" else ln -sf "$src" "$dest" fi } # --- Helper: ensure spawn works immediately and in future sessions --- # Installs to ~/.local/bin. If that's not already in PATH, also symlinks # to /usr/local/bin for immediate availability (without prompting for a # password — only if writable or passwordless sudo is available). # Also patches shell rc files so both ~/.local/bin and ~/.bun/bin are in # PATH for future sessions (bun is required by spawn's shebang). ensure_in_path() { local install_dir="$1" local bun_bin_dir="${BUN_INSTALL}/bin" # 1. Check if install_dir and bun are already in the user's real PATH local spawn_in_path=false local bun_in_path=false if echo "${_SPAWN_ORIG_PATH}" | tr ':' '\n' | grep -qxF "${install_dir}"; then spawn_in_path=true fi if echo "${_SPAWN_ORIG_PATH}" | tr ':' '\n' | grep -qxF "${bun_bin_dir}"; then bun_in_path=true fi # 2. If spawn not in PATH, symlink into /usr/local/bin for immediate availability # Try in order: direct write → passwordless sudo → prompt for password # Also symlink bun so that spawn's #!/usr/bin/env bun shebang resolves local linked=false local bun_path bun_path="$(command -v bun 2>/dev/null || true)" # Validate bun is in an expected directory before symlinking with elevated # privileges. If an attacker controls PATH, `command -v bun` could resolve # to a malicious binary — symlinking that to /usr/local/bin with sudo would # be a privilege escalation vector. if [ -n "$bun_path" ]; then case "$bun_path" in "${HOME}/.bun/bin/bun"|"${HOME}/.local/bin/bun"|/usr/local/bin/bun|"${BUN_INSTALL}/bin/bun") # Expected bun installation location — safe to symlink ;; *) log_warn "bun found at unexpected location: ${bun_path} — skipping symlink" bun_path="" ;; esac fi if [ "$spawn_in_path" = false ]; then if [ -d /usr/local/bin ] && [ -w /usr/local/bin ]; then safe_ln_sf "${install_dir}/spawn" /usr/local/bin/spawn && linked=true if [ -n "$bun_path" ] && [ ! -x /usr/local/bin/bun ]; then safe_ln_sf "$bun_path" /usr/local/bin/bun 2>/dev/null || true fi elif has_passwordless_sudo; then safe_ln_sf "${install_dir}/spawn" /usr/local/bin/spawn sudo 2>/dev/null && linked=true if [ -n "$bun_path" ] && [ ! -x /usr/local/bin/bun ]; then safe_ln_sf "$bun_path" /usr/local/bin/bun sudo 2>/dev/null || true fi elif command -v sudo &>/dev/null; then # Last resort: ask for password log_step "Adding spawn to /usr/local/bin (may require your password)..." safe_ln_sf "${install_dir}/spawn" /usr/local/bin/spawn sudo && linked=true || true if [ "$linked" = true ] && [ -n "$bun_path" ] && [ ! -x /usr/local/bin/bun ]; then safe_ln_sf "$bun_path" /usr/local/bin/bun sudo 2>/dev/null || true fi fi fi # 3. Patch shell rc files so both ~/.local/bin and ~/.bun/bin are in PATH # for future sessions. ~/.bun/bin is required by spawn's #!/usr/bin/env bun shebang. local rc_file="" case "${SHELL:-/bin/bash}" in */zsh) rc_file="${HOME}/.zshrc" ;; */fish) rc_file="" ;; *) rc_file="${HOME}/.bashrc" ;; esac # Marker comments — keep in sync with packages/cli/src/shared/paths.ts local marker_start="# >>> spawn >>>" local marker_end="# <<< spawn <<<" # Helper: add a dir to rc files if not already present _patch_rc() { local dir="$1" local line="export PATH=\"${dir}:\$PATH\"" if [ -n "$rc_file" ]; then if ! grep -qF "${dir}" "$rc_file" 2>/dev/null; then printf '\n%s\n%s\n%s\n' "$marker_start" "$line" "$marker_end" >> "$rc_file" fi case "${SHELL:-/bin/bash}" in */bash) for profile in "${HOME}/.profile" "${HOME}/.bash_profile"; do if [ -f "$profile" ] && ! grep -qF "${dir}" "$profile" 2>/dev/null; then printf '\n%s\n%s\n%s\n' "$marker_start" "$line" "$marker_end" >> "$profile" fi done ;; esac else case "${SHELL:-}" in */fish) fish -c "fish_add_path \"${dir}\"" 2>/dev/null || true ;; esac fi } if [ "$spawn_in_path" = false ]; then _patch_rc "${install_dir}" fi if [ "$bun_in_path" = false ]; then _patch_rc "${bun_bin_dir}" fi # 4. Show version and success message echo "" SPAWN_NO_UPDATE_CHECK=1 PATH="${install_dir}:${PATH}" "${install_dir}/spawn" version echo "" local all_ready=true if [ "$spawn_in_path" = false ] && [ "$linked" = false ]; then all_ready=false fi if [ "$bun_in_path" = false ] && [ ! -x /usr/local/bin/bun ]; then all_ready=false fi if [ "$all_ready" = true ]; then printf '%b[spawn]%b Run %bspawn%b to get started\n' "$GREEN" "$NC" "$BOLD" "$NC" else printf '%b[spawn]%b To start using spawn, run:\n' "$GREEN" "$NC" echo "" echo " exec \$SHELL" echo "" fi } # --- Helper: build and install the CLI using bun --- build_and_install() { tmpdir=$(mktemp -d) [ -n "$tmpdir" ] || { log_error "mktemp failed to produce a directory path"; exit 1; } trap '[ -n "${tmpdir}" ] && [ -d "${tmpdir}" ] && rm -rf "${tmpdir}"' EXIT log_step "Downloading pre-built CLI binary..." curl -fsSL --proto '=https' "https://github.com/${SPAWN_REPO}/releases/download/cli-latest/cli.js" -o "${tmpdir}/cli.js" if [ ! -s "${tmpdir}/cli.js" ]; then log_error "Failed to download pre-built binary" exit 1 fi if [ -n "${SPAWN_INSTALL_DIR:-}" ]; then case "${SPAWN_INSTALL_DIR}" in /*) ;; # absolute path OK *) log_error "SPAWN_INSTALL_DIR must be an absolute path"; exit 1 ;; esac case "${SPAWN_INSTALL_DIR}" in *..*) log_error "SPAWN_INSTALL_DIR must not contain .. path components"; exit 1 ;; esac fi INSTALL_DIR="${SPAWN_INSTALL_DIR:-${HOME}/.local/bin}" mkdir -p "${INSTALL_DIR}" cp "${tmpdir}/cli.js" "${INSTALL_DIR}/spawn" chmod +x "${INSTALL_DIR}/spawn" log_info "Installed spawn to ${INSTALL_DIR}/spawn" ensure_in_path "${INSTALL_DIR}" } # --- Locate or install bun --- # Save original PATH before modifications so ensure_in_path() can check # whether the install dir is already in the user's real PATH. _SPAWN_ORIG_PATH="${PATH}" # When running via `curl | bash`, subshells may not inherit PATH updates, # so we always prepend the standard bun install locations explicitly. export BUN_INSTALL="${BUN_INSTALL:-${HOME}/.bun}" export PATH="${BUN_INSTALL}/bin:${HOME}/.local/bin:${PATH}" # Check that bun exists AND actually works. Some platforms (e.g. Sprite) # have a bun shim that delegates to $HOME/.bun/bin/bun — if that binary # doesn't exist, `command -v bun` returns 0 but `bun --version` fails. if ! bun --version &>/dev/null; then log_step "bun not found or not working. Installing bun..." # Download the bun installer to a temp file and verify its SHA-256 hash # before executing. This defends against a compromised bun.sh CDN or # DNS hijack serving a tampered install script. _bun_installer=$(mktemp) curl -fsSL --proto '=https' "https://bun.sh/install?version=${BUN_INSTALL_VERSION}" -o "$_bun_installer" _bun_hash="$(sha256_file "$_bun_installer" 2>/dev/null || true)" if [ -z "$_bun_hash" ]; then log_warn "Cannot verify bun installer (no sha256sum/shasum available), executing unverified" elif [ "$_bun_hash" != "$BUN_INSTALLER_SHA256" ]; then rm -f "$_bun_installer" log_error "bun installer hash mismatch — possible supply chain attack" log_error "Expected: ${BUN_INSTALLER_SHA256}" log_error "Got: ${_bun_hash}" echo "" echo "The bun installer from bun.sh does not match the expected hash." echo "This could indicate a compromised CDN or DNS hijack." echo "" echo "If bun has released a new installer, please report this at:" echo " https://github.com/${SPAWN_REPO}/issues" exit 1 fi bash "$_bun_installer" rm -f "$_bun_installer" # Re-export so bun is available in this session immediately. # Use hard-coded paths alongside BUN_INSTALL — the bun installer may # have placed the binary in $HOME/.bun/bin even if BUN_INSTALL differs. export PATH="$HOME/.bun/bin:${BUN_INSTALL}/bin:$HOME/.local/bin:${PATH}" if ! command -v bun &>/dev/null; then log_error "Failed to install bun automatically" echo "" echo "Please install bun manually:" echo " curl -fsSL --proto '=https' https://bun.sh/install?version=${BUN_INSTALL_VERSION} | bash" echo "" echo "Then reopen your terminal and re-run:" echo " curl -fsSL --proto '=https' ${SPAWN_CDN}/cli/install.sh | bash" exit 1 fi log_info "bun installed successfully" fi ensure_min_bun_version log_step "Installing spawn via bun..." build_and_install # Persist install referrer (e.g. SPAWN_REF=reddit) so the CLI can report # attribution on first run. Only written once — never overwritten on updates. if [ -n "${SPAWN_REF:-}" ]; then _ref_dir="${HOME}/.config/spawn" _ref_file="${_ref_dir}/.ref" if [ ! -f "${_ref_file}" ]; then mkdir -p "${_ref_dir}" # Sanitize: allow only alphanumeric, hyphens, underscores (no injection) _clean_ref=$(printf '%s' "${SPAWN_REF}" | tr -cd 'a-zA-Z0-9_-' | head -c 32) if [ -n "${_clean_ref}" ]; then printf '%s' "${_clean_ref}" > "${_ref_file}" log_info "Install referrer: ${_clean_ref}" fi fi fi