cf91956001
Three independent shell hardening fixes from Opus Shell + Sonnet Shell audits.
1. disk-reclaim.sh Guard 3 — protect branches without upstream tracking (HIGH)
File: hooks/disk-reclaim.sh:88-101
Bug: when a worktree branch has no upstream tracking ref, `git log @{u}..`
exited non-zero and `unpushed=""` (empty). The check
`[ -n "$unpushed" ] && [ "$unpushed" != "0" ]` evaluated FALSE, so the
worktree fell through Guard 3 and was eligible for mtime-based pruning.
Local-only branches with committed work were silently deleted.
Fix: explicit two-branch logic. Run `git rev-parse --abbrev-ref @{u}` first;
only run the unpushed-count check if upstream exists. If no upstream, log
SKIP[no-upstream] and `continue` conservatively. New
`worktrees_skip_unpushed` counter increments in both unpushed paths.
2. secrets-pre-guard.sh — placeholder allowlist scope-narrow (MEDIUM)
File: hooks/secrets-pre-guard.sh:43-103
Bug: word "placeholder" anywhere in content disabled all secret-pattern
scanning for that whole Write. Allowlist was too broad — a doc with the
word "placeholder" in its prose could mask a real sk-ant- token elsewhere.
Fix: replaced global early-exit with per-line awk scan. New scan_pattern()
helper walks content line-by-line; each line matching a secret regex is
allowed ONLY if the SAME line also matches ALLOWLIST_RE. Doc prose can no
longer mask cross-line secrets. Added `dummy[_-]?(key|token|secret)` to
allowlist for legitimate test fixtures.
3. lib-rust-prebuild.sh — sha256 fail-closed (HIGH supply-chain)
File: install/lib-rust-prebuild.sh:75-88
Bug: when ${url}.sha256 404'd, installer printed WARNING and proceeded with
unverified tarball. A compromised github release uploader could ship a
malicious tarball, omit .sha256, and the installer would extract it into
~/.cargo/bin/.
Fix: missing .sha256 → ERROR + abort. Path A install fails → falls back to
Path B (cargo build from source). Override via KEI_ALLOW_UNVERIFIED_TARBALL=1
(visible per-call, intentional friction).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
133 lines
5.2 KiB
Bash
133 lines
5.2 KiB
Bash
# shellcheck shell=bash
|
|
# lib-rust-prebuild.sh — fresh-install Rust binary acquisition (v0.18+).
|
|
#
|
|
# Purpose: when install.sh runs in a fresh-clone tree, $KIT_DIR/_primitives/
|
|
# _rust/target/release/ is empty (target/ is gitignored). Without binaries,
|
|
# copy_prebuilt_substrate_binaries() in lib-substrate.sh skips silently and
|
|
# end users get no kei-fork / kei-ledger / kei-cortex / etc.
|
|
#
|
|
# Two acquisition paths:
|
|
#
|
|
# Path A — download from latest github release (fast, no Rust required):
|
|
# 1. Detect platform via uname → Rust target triple.
|
|
# 2. Fetch keisei-${TARGET}.tar.gz from
|
|
# https://github.com/KeiSei84/KeiSeiKit-1.0/releases/latest/download/
|
|
# 3. Verify sha256.
|
|
# 4. Extract into target/release/.
|
|
#
|
|
# Path B — cargo build --release --workspace fallback (slow, requires Rust):
|
|
# 1. Check `cargo` on PATH.
|
|
# 2. cd $KIT_DIR/_primitives/_rust && cargo build --release --workspace.
|
|
# 3. Slow first install (~5-15 min); subsequent installs are no-op.
|
|
#
|
|
# Path A tried first. On 404 / network fail / sha mismatch → Path B.
|
|
# On both failures → say + return non-zero (caller decides whether to abort).
|
|
#
|
|
# Requires: say from lib-log.sh.
|
|
# Reads globals: $KIT_DIR.
|
|
|
|
# Detect Rust target triple for current host.
|
|
# Echo target triple. Echo nothing on unsupported platform.
|
|
detect_rust_target() {
|
|
local arch os
|
|
arch="$(uname -m)"
|
|
os="$(uname -s)"
|
|
case "$arch" in
|
|
x86_64|amd64) arch="x86_64" ;;
|
|
arm64|aarch64) arch="aarch64" ;;
|
|
*) say " unsupported arch: $arch" >&2; return 1 ;;
|
|
esac
|
|
case "$os" in
|
|
Darwin) echo "${arch}-apple-darwin" ;;
|
|
Linux) echo "${arch}-unknown-linux-gnu" ;;
|
|
*) say " unsupported os: $os" >&2; return 1 ;;
|
|
esac
|
|
}
|
|
|
|
# True iff at least 5 of the kit's substrate-core binaries are pre-built
|
|
# in $KIT_DIR/_primitives/_rust/target/release/. Five is a quorum threshold;
|
|
# a partial build (e.g. user ran `cargo build -p kei-fork` once) is treated
|
|
# as "not pre-built" and we attempt full acquisition.
|
|
has_prebuilt_substrate_binaries() {
|
|
local src="$KIT_DIR/_primitives/_rust/target/release"
|
|
[ -d "$src" ] || return 1
|
|
local count
|
|
count=$(ls -1 "$src" 2>/dev/null | grep -cE '^kei-(fork|ledger|spawn|memory|router|cortex|capability|pet|shared|store|task|search-core|migrate)$' || true)
|
|
[ "${count:-0}" -ge 5 ]
|
|
}
|
|
|
|
# Path A: download release tarball from github.
|
|
# Returns 0 on success (binaries extracted), 1 on any failure (caller falls back).
|
|
download_release_tarball() {
|
|
local target="$1"
|
|
[ -n "$target" ] || return 1
|
|
local tarball="keisei-${target}.tar.gz"
|
|
local url="https://github.com/KeiSei84/KeiSeiKit-1.0/releases/latest/download/${tarball}"
|
|
local tmp
|
|
tmp="$(mktemp -d -t keisei-prebuild-XXXX 2>/dev/null)" || return 1
|
|
command -v curl >/dev/null 2>&1 || { rm -rf "$tmp"; return 1; }
|
|
say " downloading prebuilt ${tarball}…"
|
|
if ! curl -fL --max-time 120 -o "$tmp/$tarball" "$url" 2>/dev/null; then
|
|
say " ${tarball} not available (HTTP fail) — falling back to cargo build"
|
|
rm -rf "$tmp"
|
|
return 1
|
|
fi
|
|
if curl -fL --max-time 30 -o "$tmp/${tarball}.sha256" "${url}.sha256" 2>/dev/null; then
|
|
(cd "$tmp" && shasum -a 256 -c "${tarball}.sha256" >/dev/null 2>&1) \
|
|
|| { say " sha256 mismatch on ${tarball} — refusing to install"; rm -rf "$tmp"; return 1; }
|
|
else
|
|
say " ERROR: no sha256 sidecar found at ${url}.sha256"
|
|
say " Refusing to install unverified tarball (RULE 0.1 supply-chain hardening)."
|
|
say " Override with KEI_ALLOW_UNVERIFIED_TARBALL=1 (visible per-call)."
|
|
if [ "${KEI_ALLOW_UNVERIFIED_TARBALL:-0}" = "1" ]; then
|
|
say " KEI_ALLOW_UNVERIFIED_TARBALL=1 set — proceeding without verification (DANGEROUS)."
|
|
else
|
|
rm -rf "$tmp"
|
|
return 1
|
|
fi
|
|
fi
|
|
local dst="$KIT_DIR/_primitives/_rust/target/release"
|
|
mkdir -p "$dst" || { rm -rf "$tmp"; return 1; }
|
|
if ! tar -xzf "$tmp/$tarball" -C "$dst" 2>/dev/null; then
|
|
say " failed to extract ${tarball}"
|
|
rm -rf "$tmp"
|
|
return 1
|
|
fi
|
|
rm -rf "$tmp"
|
|
say " prebuilt binaries installed (Path A) ✓"
|
|
return 0
|
|
}
|
|
|
|
# Path B: cargo build --release --workspace fallback.
|
|
cargo_build_workspace_fallback() {
|
|
command -v cargo >/dev/null 2>&1 \
|
|
|| { say " cargo not on PATH — install Rust: https://rustup.rs/ (or set KEI_SKIP_RUST=1)"; return 1; }
|
|
local crates_dir="$KIT_DIR/_primitives/_rust"
|
|
[ -f "$crates_dir/Cargo.toml" ] || { say " $crates_dir/Cargo.toml missing"; return 1; }
|
|
say " cargo build --release --workspace (slow first time, ~5-15 min)"
|
|
(cd "$crates_dir" && cargo build --release --workspace 2>&1 | tail -3) || {
|
|
say " cargo build failed — see output above"
|
|
return 1
|
|
}
|
|
say " binaries built from source (Path B) ✓"
|
|
return 0
|
|
}
|
|
|
|
# Main entry — call from install.sh BEFORE copy_prebuilt_substrate_binaries.
|
|
# Idempotent: returns 0 immediately if binaries already present.
|
|
ensure_rust_binaries() {
|
|
if has_prebuilt_substrate_binaries; then
|
|
return 0
|
|
fi
|
|
if [ "${KEI_SKIP_RUST:-0}" = "1" ]; then
|
|
say " KEI_SKIP_RUST=1 — skipping Rust binary acquisition"
|
|
return 0
|
|
fi
|
|
say "no prebuilt Rust binaries found — acquiring…"
|
|
local target
|
|
target="$(detect_rust_target)" || target=""
|
|
if [ -n "$target" ] && download_release_tarball "$target"; then
|
|
return 0
|
|
fi
|
|
cargo_build_workspace_fallback
|
|
}
|