spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 13:20:05 +00:00

History

A 1696ecdaa9 fix(security): add defense-in-depth username validation in GCP startup script (#2689 ) Add explicit username format validation (`/^[a-zA-Z0-9_-]+$/`) as defense-in-depth in `getStartupScript()` and `createInstance()`. While `resolveUsername()` currently returns a constant, this belt-and-suspenders check prevents shell injection if the function is ever changed to accept dynamic input. Fixes #2688 Agent: ux-engineer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-03-16 01:38:21 -07:00
..
cli	fix(security): add defense-in-depth username validation in GCP startup script (#2689 )	2026-03-16 01:38:21 -07:00
shared	feat: add downloadFile to CloudRunner + local OpenClaw config merge (#2636 )	2026-03-14 15:47:32 -07:00

fix(security): add defense-in-depth username validation in GCP startup script (#2689 )

Add explicit username format validation (`/^[a-zA-Z0-9_-]+$/`) as
defense-in-depth in `getStartupScript()` and `createInstance()`. While
`resolveUsername()` currently returns a constant, this belt-and-suspenders
check prevents shell injection if the function is ever changed to accept
dynamic input.

Fixes #2688

Agent: ux-engineer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-03-16 01:38:21 -07:00

cli

fix(security): add defense-in-depth username validation in GCP startup script (#2689 )

2026-03-16 01:38:21 -07:00

shared

feat: add downloadFile to CloudRunner + local OpenClaw config merge (#2636 )

2026-03-14 15:47:32 -07:00