vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-05 23:50:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
mirror of https://github.com/OpenRouterTeam/spawn , link from https://openrouter.ai/spawn and https://discord.com/channels/1091220969173028894/1092729520181739581/1483604863098028273 https://openrouter.ai/spawn
48 commits 25 branches 19 tags 24 MiB
Find a file
Sprite a9818001da refactor: migrate 5 cloud libraries to shared/common.sh pattern 
Migrated aws-lightsail, e2b, gcp, lambda, and modal libraries to use
the shared library pattern established in earlier refactoring rounds.

Changes:
- Added shared/common.sh sourcing block (local-first, remote-fallback)
- Added bash safety flags (set -eo pipefail) to all 5 libraries
- Removed duplicate provider-agnostic functions:
  - Logging (log_info, log_warn, log_error)
  - Input handling (safe_read)
  - OAuth flow (try_oauth_flow, get_openrouter_api_key_oauth)
  - SSH helpers (generate_ssh_key_if_missing, etc.)
- Retained cloud-specific functions:
  - API wrappers and CLI integration
  - Server provisioning and lifecycle management
  - Cloud-specific validation and configuration

Impact:
- Net reduction: 460 lines (-545 added +85)
- Eliminates code duplication across 5 providers
- Improves consistency and maintainability
- All libraries now follow the same architectural pattern

Task: #3 (score 56 - highest priority)
Also addresses Task #4 (bash safety flags)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-08 01:08:34 +00:00
.claude Implement Claude Code Agent Teams for continuous improvement (#20) 2026-02-07 13:54:27 -08:00
.github/workflows ci: add shellcheck linting infrastructure 2026-02-08 01:08:34 +00:00
aws-lightsail refactor: migrate 5 cloud libraries to shared/common.sh pattern 2026-02-08 01:08:34 +00:00
cli refactor: drop nounset flag from cli/spawn.sh for consistency 2026-02-08 00:54:49 +00:00
digitalocean Use ${VAR:-} for all optional env var checks (#28) 2026-02-07 16:28:12 -08:00
docs docs: add Round 6 refactoring summary 2026-02-08 00:55:36 +00:00
e2b refactor: migrate 5 cloud libraries to shared/common.sh pattern 2026-02-08 01:08:34 +00:00
gcp refactor: migrate 5 cloud libraries to shared/common.sh pattern 2026-02-08 01:08:34 +00:00
hetzner Use ${VAR:-} for all optional env var checks (#28) 2026-02-07 16:28:12 -08:00
lambda refactor: migrate 5 cloud libraries to shared/common.sh pattern 2026-02-08 01:08:34 +00:00
linode Use ${VAR:-} for all optional env var checks (#28) 2026-02-07 16:28:12 -08:00
modal refactor: migrate 5 cloud libraries to shared/common.sh pattern 2026-02-08 01:08:34 +00:00
shared Fix OAuth server blocking: redirect subshell stdout (#30) 2026-02-07 17:00:50 -08:00
sprite Use ${VAR:-} for all optional env var checks (#28) 2026-02-07 16:28:12 -08:00
test Autonomous refactoring: 5 rounds, ~1,400 lines eliminated, production-ready 2026-02-08 00:06:46 +00:00
vultr Use ${VAR:-} for all optional env var checks (#28) 2026-02-07 16:28:12 -08:00
.shellcheckrc ci: add shellcheck linting infrastructure 2026-02-08 01:08:34 +00:00
AUTONOMOUS_REFACTORING_COMPLETE.md Autonomous refactoring: 5 rounds, ~1,400 lines eliminated, production-ready 2026-02-08 00:06:46 +00:00
CLAUDE.md Drop nounset (set -u) flag — incompatible with env var checks (#27) 2026-02-07 16:22:04 -08:00
improve.sh Implement Claude Code Agent Teams for continuous improvement (#20) 2026-02-07 13:54:27 -08:00
manifest.json Autonomous refactoring: 5 rounds, ~1,400 lines eliminated, production-ready 2026-02-08 00:06:46 +00:00
README.md ci: add shellcheck linting infrastructure 2026-02-08 01:08:34 +00:00
REFACTORING_SUMMARY.md Autonomous refactoring: 5 rounds, ~1,400 lines eliminated, production-ready 2026-02-08 00:06:46 +00:00

README.md

Spawn

Conjure your agents!

Features

  • 🔐 Automatic OAuth - Seamless authentication with OpenRouter
  • 🔄 Smart Fallback - Manual API key entry if OAuth fails
  • 🚀 One Command Setup - Get running in minutes
  • 🔧 Environment Ready - Pre-configured shell and dependencies

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/interpreter.sh)

Non-Interactive Mode

For automation or CI/CD, set environment variables:

Claude Code

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/claude.sh)

OpenClaw

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/openclaw.sh)

NanoClaw

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/nanoclaw.sh)

Environment Variables:

  • SPRITE_NAME - Name for the sprite (skips prompt)
  • OPENROUTER_API_KEY - Skip OAuth and use this API key directly

Hetzner Cloud

Spawn agents on Hetzner Cloud servers. No hcloud CLI needed — uses the Hetzner REST API directly.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/interpreter.sh)

Non-Interactive Mode

HETZNER_SERVER_NAME=dev-mk1 \
HCLOUD_TOKEN=your-hetzner-api-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/claude.sh)

Environment Variables:

  • HETZNER_SERVER_NAME - Name for the server (skips prompt)
  • HCLOUD_TOKEN - Hetzner Cloud API token (skips prompt, saved to ~/.config/spawn/hetzner.json)
  • OPENROUTER_API_KEY - Skip OAuth and use this API key directly
  • HETZNER_SERVER_TYPE - Server type (default: cx22)
  • HETZNER_LOCATION - Datacenter location (default: fsn1)

DigitalOcean

Spawn agents on DigitalOcean Droplets via REST API.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/interpreter.sh)

Non-Interactive Mode

DO_DROPLET_NAME=dev-mk1 \
DO_API_TOKEN=your-digitalocean-api-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/claude.sh)

Environment Variables:

  • DO_DROPLET_NAME - Name for the droplet (skips prompt)
  • DO_API_TOKEN - DigitalOcean API token (skips prompt, saved to ~/.config/spawn/digitalocean.json)
  • OPENROUTER_API_KEY - Skip OAuth and use this API key directly
  • DO_DROPLET_SIZE - Droplet size (default: s-2vcpu-2gb)
  • DO_REGION - Datacenter region (default: nyc3)

Vultr

Spawn agents on Vultr Cloud Compute instances via REST API.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/interpreter.sh)

Non-Interactive Mode

VULTR_SERVER_NAME=dev-mk1 \
VULTR_API_KEY=your-vultr-api-key \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/claude.sh)

Environment Variables:

  • VULTR_SERVER_NAME - Name for the instance (skips prompt)
  • VULTR_API_KEY - Vultr API key (skips prompt, saved to ~/.config/spawn/vultr.json)
  • OPENROUTER_API_KEY - Skip OAuth and use this API key directly
  • VULTR_PLAN - Instance plan (default: vc2-1c-2gb)
  • VULTR_REGION - Datacenter region (default: ewr)

Linode (Akamai)

Spawn agents on Linode instances via REST API.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/interpreter.sh)

Non-Interactive Mode

LINODE_SERVER_NAME=dev-mk1 \
LINODE_API_TOKEN=your-linode-api-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/claude.sh)

Environment Variables:

  • LINODE_SERVER_NAME - Label for the Linode (skips prompt)
  • LINODE_API_TOKEN - Linode API token (skips prompt, saved to ~/.config/spawn/linode.json)
  • OPENROUTER_API_KEY - Skip OAuth and use this API key directly
  • LINODE_TYPE - Instance type (default: g6-standard-1)
  • LINODE_REGION - Datacenter region (default: us-east)

Architecture

Spawn uses a shared library pattern to reduce code duplication across cloud providers:

Library Structure

spawn/
  shared/
    common.sh         # Provider-agnostic utilities (logging, OAuth, SSH helpers)
  {cloud}/
    lib/common.sh     # Cloud-specific functions (sources shared/common.sh)
    {agent}.sh        # Agent deployment scripts

How It Works

  1. shared/common.sh - Core utilities used by all clouds:

    • Color logging (log_info, log_warn, log_error)
    • Safe input handling (safe_read)
    • OAuth flow for OpenRouter authentication
    • Network utilities (nc_listen, open_browser)
    • SSH key management and connectivity helpers
    • Security validation (validate_model_id, json_escape)

  2. {cloud}/lib/common.sh - Cloud-specific extensions:

    • Sources shared/common.sh first
    • Adds provider-specific functions (API wrappers, provisioning logic)
    • Examples: sprite/lib/common.sh adds Sprite CLI functions, hetzner/lib/common.sh adds Hetzner API functions

  3. Agent scripts - Combine shared utilities with cloud-specific provisioning:

    • Source their cloud's lib/common.sh
    • Use shared functions for authentication and setup
    • Use cloud functions for server provisioning
    • Deploy and configure the specific agent

Benefits

  • DRY (Don't Repeat Yourself) - OAuth, logging, and SSH logic are written once
  • Consistency - All scripts use the same patterns for authentication and error handling
  • Maintainability - Bug fixes in shared/common.sh benefit all cloud providers
  • Extensibility - Adding a new cloud only requires writing provider-specific logic

Development

Running ShellCheck Locally

Spawn uses ShellCheck to lint all bash scripts and catch common mistakes.

Install ShellCheck:

# Ubuntu/Debian
sudo apt-get install shellcheck

# macOS
brew install shellcheck

# Fedora
sudo dnf install ShellCheck

Run on all scripts:

find . -name "*.sh" \
  ! -path "*/node_modules/*" \
  ! -path "*/.git/*" \
  -exec shellcheck {} +

Run on a single file:

shellcheck shared/common.sh

The CI pipeline automatically runs shellcheck on all pull requests. See .shellcheckrc for configuration.

Security

API Token Storage

Spawn stores cloud provider API tokens and OpenRouter API keys locally in JSON files at ~/.config/spawn/:

  • hetzner.json - Hetzner Cloud API token
  • digitalocean.json - DigitalOcean API token
  • vultr.json - Vultr API key
  • linode.json - Linode API token
  • OpenRouter API keys stored in shell config files (~/.bashrc, ~/.zshrc)

Security Posture:

  • All token files are created with chmod 600 (user read/write only)
  • Tokens are stored in plaintext - not encrypted at rest
  • Security relies on filesystem permissions and OS user isolation

Recommendations:

  1. Protect your user account - Use strong passwords, disk encryption, and secure your SSH keys
  2. Use dedicated API tokens - Create tokens specifically for Spawn with minimal required permissions
  3. Rotate tokens regularly - Revoke and regenerate API tokens periodically
  4. Multi-user systems - On shared machines, be aware that root users can read these files
  5. Backup security - Ensure backups of ~/.config/ are encrypted

Why plaintext?

  • Simplicity and compatibility across all Unix-like systems
  • File permissions (600) provide adequate protection for single-user machines
  • Encryption at rest would require key management, adding complexity without significant security benefit for typical use cases
  • Cloud providers recommend similar approaches for CLI tools (AWS CLI, gcloud, etc.)

Alternative approaches:

  • For higher security requirements, consider using environment variables instead of saved tokens
  • Pass OPENROUTER_API_KEY, HCLOUD_TOKEN, etc. as environment variables on each run
  • Use OS credential stores (Keychain on macOS, Secret Service on Linux) - requires additional dependencies