vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
spawn/sh/aws
History
A cfa1ae7a08
fix(security): add --proto '=https' to all curl bun installer calls (#2138) 
* fix(security): add --proto '=https' to all curl bun installer calls

Fixes #2134

All _ensure_bun() functions across aws, hetzner, gcp, local, daytona,
and sprite scripts now enforce HTTPS-only downloads via --proto '=https'.
This prevents MITM attacks during bun installation on remote VMs.
DigitalOcean scripts were already correct and are not changed.

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): add --proto '=https' to bun installer in TS files

Address security reviewer feedback: the same MITM vulnerability
existed in 5 TypeScript programmatic provisioning files.

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): quote --proto '=https' in su -c curl calls

The aws.ts and gcp.ts files had --proto =https without quotes inside
su -c '...' blocks. Uses double quotes ("=https") to properly nest
inside the single-quoted su -c argument while maintaining protocol
restriction.

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 11:52:54 -08:00
..
claude.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
codex.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
hermes.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
kilocode.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
openclaw.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
opencode.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
README.md fix(e2e): add sh/aws/hermes.sh and mark aws/hermes as implemented (#2042) 2026-02-28 20:38:26 -05:00
zeroclaw.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00

README.md

AWS Lightsail

AWS Lightsail instances via AWS CLI. AWS Lightsail

Prerequisites

  1. Enable AWS Lightsail — New AWS accounts must activate Lightsail before first use. Visit the Lightsail console and follow the activation prompt. Without this step, all provisioning commands will fail.

  2. AWS CLI installed and configured — Run aws configure with your Access Key ID and Secret Access Key.

Uses ubuntu user instead of root.

Agents

Claude Code

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/openclaw.sh)

ZeroClaw

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/zeroclaw.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/codex.sh)

OpenCode

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/opencode.sh)

Kilo Code

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/kilocode.sh)

Hermes Agent

bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/hermes.sh)

Non-Interactive Mode

LIGHTSAIL_SERVER_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/labs/spawn/aws/claude.sh)