mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-18 23:51:40 +00:00
8a4334cbe7
Reproduces with: any staged file matching the secret regex (e.g. a test
fixture containing an OpenRouter / Anthropic / OpenAI key shape).
The redact step ran:
sed -i -E "s|${SECRET_REGEX}|${REDACT_PLACEHOLDER}|g" "$f"
SECRET_REGEX is itself a `|`-separated alternation of provider patterns
(`(sk-or-v1-...)|(sk-ant-api...)|(...)`). After bash expansion, sed sees
multiple fields where it expected three, and bails with:
sed: -e expression #1, char 67: unknown option to `s'
The export then fails on the VM ("sprite exec failed (exit 1)") even
though the user already approved the redaction in the host prompt.
Fix: switch the sed delimiter to '#'. None of the regex tokens
(provider prefixes, char classes, quantifiers, PEM marker) contain '#',
and neither does the placeholder, so the substitution is unambiguous.
'|' inside the pattern is now correctly interpreted by sed -E as
alternation, which is what we wanted all along.
Adds a regression test asserting the script uses 's#...#...#g' and
not 's|...|...|g'.
Bumps CLI 1.0.35 -> 1.0.36.
27 lines
696 B
JSON
27 lines
696 B
JSON
{
|
|
"name": "@openrouter/spawn",
|
|
"version": "1.0.36",
|
|
"type": "module",
|
|
"bin": {
|
|
"spawn": "cli.js"
|
|
},
|
|
"scripts": {
|
|
"dev": "bun run src/index.ts",
|
|
"build": "bun build src/index.ts --outfile cli.js --target bun --minify --packages bundle",
|
|
"compile": "bun build src/index.ts --compile --outfile spawn",
|
|
"lint": "biome lint src/",
|
|
"test": "bun test",
|
|
"test:watch": "bun test --watch"
|
|
},
|
|
"dependencies": {
|
|
"@clack/prompts": "1.0.0",
|
|
"@daytonaio/sdk": "0.160.0",
|
|
"@openrouter/spawn-shared": "workspace:*",
|
|
"picocolors": "1.1.1",
|
|
"valibot": "1.2.0"
|
|
},
|
|
"devDependencies": {
|
|
"@biomejs/biome": "2.4.3",
|
|
"@types/bun": "1.3.8"
|
|
}
|
|
}
|