spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-07 00:50:52 +00:00

History

A 2af285dc52 feat: fall back to SigV4 REST API when AWS CLI is absent (aws/lightsail) (#1583 ) * feat: fall back to SigV4 REST API when AWS CLI is absent (aws/lightsail) If `aws` CLI is not installed but AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY are set, provision Lightsail instances directly via the REST API instead of erroring out. - Add _lightsail_rest(): inline Bun TypeScript that computes SigV4 signatures via node:crypto and calls the Lightsail API with native fetch — no openssl or curl gymnastics required - Add _ls_json(): dot-path JSON parser, prefers jq, falls back to bun eval - ensure_aws_cli() now sets LIGHTSAIL_MODE=cli\|rest; REST mode requires bun (already a project dependency) and shows a clear error if missing - All API calls in ensure_ssh_key, create_server, _wait_for_lightsail_instance, destroy_server, list_servers are gated on LIGHTSAIL_MODE - Replace all python3 JSON encoding (key import, userdata, list table) with bun eval — consistent with project tooling - No more auto-install of the 200 MB AWS CLI binary Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add interactive AWS CLI install when CLI is missing When neither aws CLI nor raw credentials are found, prompt the user to install AWS CLI v2 on the spot (macOS .pkg / Linux zip installer). After install, prompt for Access Key ID + Secret and validate via sts:GetCallerIdentity before proceeding. The decision cascade is now: 1. Existing aws CLI with valid creds → cli mode 2. Raw env-var creds + bun available → rest mode 3. Offer to install aws CLI → prompt for creds → cli mode 4. Creds collected during install + bun → rest mode fallback 5. Nothing worked → show manual instructions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: eliminate code/path injection in bun eval calls (aws/lib/common.sh) Pass shell variables as process.argv arguments instead of interpolating them into JavaScript string literals: - _ls_json(): path parameter passed as process.argv[2] (was CRITICAL code injection — attacker-controlled path could escape the string) - ensure_ssh_key(): pub_path and key_name passed as process.argv[2..3] (was HIGH — path injection via $HOME) - create_server(): ud_tmp, name, az, bundle passed as process.argv[2..5] (was MEDIUM — temp file path interpolation) Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: B <6723574+louisgv@users.noreply.github.com>	2026-02-21 16:46:57 +00:00
..
common.sh	feat: fall back to SigV4 REST API when AWS CLI is absent (aws/lightsail) (#1583 )	2026-02-21 16:46:57 +00:00

feat: fall back to SigV4 REST API when AWS CLI is absent (aws/lightsail) (#1583 )

* feat: fall back to SigV4 REST API when AWS CLI is absent (aws/lightsail)

If `aws` CLI is not installed but AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY
are set, provision Lightsail instances directly via the REST API instead of
erroring out.

- Add _lightsail_rest(): inline Bun TypeScript that computes SigV4 signatures
  via node:crypto and calls the Lightsail API with native fetch — no openssl
  or curl gymnastics required
- Add _ls_json(): dot-path JSON parser, prefers jq, falls back to bun eval
- ensure_aws_cli() now sets LIGHTSAIL_MODE=cli|rest; REST mode requires bun
  (already a project dependency) and shows a clear error if missing
- All API calls in ensure_ssh_key, create_server, _wait_for_lightsail_instance,
  destroy_server, list_servers are gated on LIGHTSAIL_MODE
- Replace all python3 JSON encoding (key import, userdata, list table) with
  bun eval — consistent with project tooling
- No more auto-install of the 200 MB AWS CLI binary

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: add interactive AWS CLI install when CLI is missing

When neither aws CLI nor raw credentials are found, prompt the user
to install AWS CLI v2 on the spot (macOS .pkg / Linux zip installer).
After install, prompt for Access Key ID + Secret and validate via
sts:GetCallerIdentity before proceeding.

The decision cascade is now:
  1. Existing aws CLI with valid creds → cli mode
  2. Raw env-var creds + bun available → rest mode
  3. Offer to install aws CLI → prompt for creds → cli mode
  4. Creds collected during install + bun → rest mode fallback
  5. Nothing worked → show manual instructions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: eliminate code/path injection in bun eval calls (aws/lib/common.sh)

Pass shell variables as process.argv arguments instead of interpolating
them into JavaScript string literals:

- _ls_json(): path parameter passed as process.argv[2] (was CRITICAL
  code injection — attacker-controlled path could escape the string)
- ensure_ssh_key(): pub_path and key_name passed as process.argv[2..3]
  (was HIGH — path injection via $HOME)
- create_server(): ud_tmp, name, az, bundle passed as process.argv[2..5]
  (was MEDIUM — temp file path interpolation)

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: B <6723574+louisgv@users.noreply.github.com>

2026-02-21 16:46:57 +00:00

common.sh

feat: fall back to SigV4 REST API when AWS CLI is absent (aws/lightsail) (#1583 )

2026-02-21 16:46:57 +00:00