mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-23 04:24:39 +00:00
d5461adc16
* feat: SPAWN_CLI_DIR env var to force local source in e2e and shell scripts When SPAWN_CLI_DIR is set, the entire toolchain uses local TypeScript source instead of downloading pre-bundled scripts from GitHub releases: - e2e.sh: auto-sets SPAWN_CLI_DIR to repo root when running locally - provision.sh: exports SPAWN_CLI_DIR into the headless subshell - commands.ts: reads local shell scripts instead of fetching from CDN - All 36 cloud/agent shell scripts: exec local main.ts when set This enables e2e tests to validate local changes before they're released. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(security): add path traversal defense to SPAWN_CLI_DIR script loading Canonicalize the path via realpathSync and verify it stays inside the resolved CLI directory before reading. Prevents SPAWN_CLI_DIR from being used to read arbitrary files via ../ traversal. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(security): harden SPAWN_CLI_DIR path traversal defense - Validate cloud/agent names don't contain '..', '/' or '\' before constructing file paths - Fix root-directory edge case in prefix check by handling trailing separator correctly Agent: pr-maintainer Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: B <6723574+louisgv@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| aws | ||
| cli | ||
| daytona | ||
| digitalocean | ||
| docker | ||
| e2e | ||
| gcp | ||
| hetzner | ||
| local | ||
| shared | ||
| sprite | ||
| test | ||