mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-07 17:31:04 +00:00
f39ffd6e24
GitHub Codespaces scripts embedded API keys directly into heredocs sent over SSH, allowing single-quote breakout for command injection. Fixed by adding upload_file/run_server/inject_env_vars helpers to Codespaces lib and using safe temp-file-upload pattern (matching Railway/Render). Render claude.sh and openclaw.sh built JSON config via unescaped heredocs. Fixed by using shared setup_claude_code_config/setup_openclaw_config helpers which properly json_escape values. FluidStack had triple-quote injection in SSH key registration (pub_key embedded in Python triple-quotes) and missing single-quote validation in create_server env var checks. Fixed by reading values via stdin/argv instead of string interpolation, and added single-quote to validation. Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
69 lines
1.9 KiB
Bash
Executable file
69 lines
1.9 KiB
Bash
Executable file
#!/bin/bash
|
|
set -eo pipefail
|
|
|
|
# Source common functions - try local file first, fall back to remote
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" 2>/dev/null && pwd)"
|
|
if [[ -f "$SCRIPT_DIR/lib/common.sh" ]]; then
|
|
source "$SCRIPT_DIR/lib/common.sh"
|
|
else
|
|
eval "$(curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/render/lib/common.sh)"
|
|
fi
|
|
|
|
log_info "Claude Code on Render"
|
|
echo ""
|
|
|
|
# 1. Ensure Render CLI and API key
|
|
ensure_render_cli
|
|
ensure_render_api_key
|
|
|
|
# 2. Create service
|
|
SERVER_NAME=$(get_server_name)
|
|
create_server "$SERVER_NAME"
|
|
|
|
# 3. Wait for service readiness
|
|
wait_for_cloud_init
|
|
|
|
# 4. Install Claude Code
|
|
log_warn "Installing Claude Code..."
|
|
run_server "curl -fsSL https://claude.ai/install.sh | bash"
|
|
|
|
# Verify installation
|
|
if ! run_server "command -v claude" >/dev/null 2>&1; then
|
|
log_error "Claude Code installation failed"
|
|
exit 1
|
|
fi
|
|
log_info "Claude Code installed"
|
|
|
|
# 5. Get OpenRouter API key
|
|
echo ""
|
|
if [[ -n "${OPENROUTER_API_KEY:-}" ]]; then
|
|
log_info "Using OpenRouter API key from environment"
|
|
else
|
|
OPENROUTER_API_KEY=$(get_openrouter_api_key_oauth 5180)
|
|
fi
|
|
|
|
# 6. Inject environment variables
|
|
log_warn "Setting up environment variables..."
|
|
|
|
inject_env_vars \
|
|
"OPENROUTER_API_KEY=${OPENROUTER_API_KEY}" \
|
|
"ANTHROPIC_BASE_URL=https://openrouter.ai/api" \
|
|
"ANTHROPIC_AUTH_TOKEN=${OPENROUTER_API_KEY}" \
|
|
"ANTHROPIC_API_KEY=" \
|
|
"CLAUDE_CODE_SKIP_ONBOARDING=1" \
|
|
"CLAUDE_CODE_ENABLE_TELEMETRY=0" \
|
|
"PATH=\$HOME/.claude/local/bin:\$HOME/.bun/bin:\$PATH"
|
|
|
|
# 7. Configure Claude Code settings via shared helper (uses json_escape for safe key handling)
|
|
setup_claude_code_config "$OPENROUTER_API_KEY" "upload_file" "run_server"
|
|
|
|
echo ""
|
|
log_info "Render service setup completed successfully!"
|
|
log_info "Service: $RENDER_SERVICE_NAME (ID: $RENDER_SERVICE_ID)"
|
|
echo ""
|
|
|
|
# 8. Start Claude Code interactively
|
|
log_warn "Starting Claude Code..."
|
|
sleep 1
|
|
clear
|
|
interactive_session "source /root/.bashrc && claude"
|