refactor: remove stale ZeroClaw references from CLAUDE.md and agents.ts#3096
refactor: remove stale ZeroClaw references from CLAUDE.md and agents.ts#3096
Conversation
biome.json restricts linting to packages/**/*.ts via its includes filter, so passing .claude/scripts/ and .claude/skills/setup-spa/ to the biome check command was a no-op — biome reported 0 files processed for those paths and silently skipped them. Remove the stale paths so the CI step accurately reflects what biome actually checks.
la14-1
changed the title
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: CHANGES REQUESTED
Commit: 9b9ed61
Findings
- [CRITICAL] .github/workflows/lint.yml:59 — Removes lint coverage for
.claude/scripts/and.claude/skills/setup-spa/without fixing the root cause. These directories contain TypeScript files that MUST be linted (including security-critical hook scripts and GritQL plugins for the no-type-assertion rule).
Root cause: biome.json line 11 restricts includes to packages/**/*.ts, so passing other paths to the CLI was a no-op.
Correct fix: Update biome.json includes pattern to:
"includes": ["packages/**/*.ts", ".claude/**/*.ts"]Then the CI command can safely use just bunx @biomejs/biome check . (checks everything matching the includes pattern).
Security impact: Without lint coverage, these files can introduce:
- Banned
astype assertions (violates type-safety rules) - Security vulnerabilities (command injection, path traversal, etc.)
- Code quality regressions
Tests
- bash -n: N/A (no shell scripts modified)
- bun test: N/A (no test files modified)
- biome behavior: Verified — paths passed on CLI ARE ignored when not in biome.json includes
- Security: FAIL — removes security-critical lint coverage
-- security/pr-reviewer
louisgv
added
the
security-review-required
|
This PR touches -- refactor/pr-maintainer |
|
Investigated adding Additionally, The original PR's change (removing no-op paths from lint.yml) is technically correct — those paths were silently ignored by biome already. The workflow file is also off-limits for automated refactoring. Recommend: merge as-is, or a human reviewer can decide whether to add spawn-shared to the hooks package and refactor the scripts to use -- refactor/pr-maintainer |
Cursor CLI uses a proprietary ConnectRPC/protobuf protocol with BiDi
streaming over HTTP/2. It validates API keys against Cursor's own servers
and hardcodes api2.cursor.sh for agent streaming — making direct
OpenRouter integration impossible.
This adds a local translation proxy that intercepts Cursor's protocol
and routes LLM traffic through OpenRouter:
Architecture:
Cursor CLI → Caddy (HTTPS/H2, port 443) → split routing:
/agent.v1.AgentService/* → H2C Node.js (BiDi streaming → OpenRouter)
everything else → HTTP/1.1 Node.js (fake auth, models, config)
Key components:
- cursor-proxy.ts: proxy scripts + deployment functions
- Caddy reverse proxy for TLS + HTTP/2 termination
- /etc/hosts spoofing to intercept api2.cursor.sh
- Hand-rolled protobuf codec for AgentServerMessage format
- SSE stream translation (OpenRouter → ConnectRPC protobuf frames)
Proto schemas reverse-engineered from Cursor CLI binary v2026.03.25:
- AgentServerMessage.InteractionUpdate.TextDeltaUpdate.text
- agent.v1.ModelDetails (model_id, display_model_id, display_name)
- TurnEndedUpdate (input_tokens, output_tokens)
Tested end-to-end on Sprite VM: Cursor CLI printed proxy response with
EXIT=0.
Co-authored-by: Ahmed Abushagur <ahmed@abushagur.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…3099) Replaces all references to DO_API_TOKEN with DIGITALOCEAN_ACCESS_TOKEN, matching DigitalOcean's official CLI and API documentation. This includes TypeScript source, tests, shell scripts, Packer config, CI workflows, and documentation. Supersedes #3068 (rebased onto current main). Agent: pr-maintainer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Cursor CLI v2026.03.25 only allows --trust in headless/print mode. Launching interactively with --trust causes immediate exit with error. Co-authored-by: spawn-bot <spawn-bot@openrouter.ai> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ahmed Abushagur <ahmed@abushagur.com>
Cursor CLI requires authentication before making API calls. Without CURSOR_API_KEY set, it falls back to browser-based OAuth which fails because the proxy spoofs api2.cursor.sh to localhost, breaking the OAuth callback. Setting a dummy CURSOR_API_KEY makes Cursor use the /auth/exchange_user_api_key endpoint instead, which the proxy already handles with a fake JWT. Co-authored-by: spawn-bot <spawn-bot@openrouter.ai> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- update tagline: 8 agents/48 combos -> 9 agents/54 combos - add Cursor CLI row to matrix table manifest.json has 9 agents (cursor was added but README matrix was not updated) and 54 implemented entries. Co-authored-by: spawn-qa-bot <qa@openrouter.ai> Co-authored-by: Ahmed Abushagur <ahmed@abushagur.com>
Replace outdated models (Claude Sonnet 4, GPT-4o) with current ones: - Claude Sonnet 4.6 (default), Claude Haiku 4.5 - GPT-4.1 - Gemini 2.5 Pro, Gemini 2.5 Flash Co-authored-by: spawn-bot <spawn-bot@openrouter.ai> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`spawn status` now probes running servers by SSHing in and running
`{agent} --version` to verify the agent binary is installed and
executable. Results show in a new "Probe" column (live/down/—) and
as `agent_alive` in JSON output. Only "running" servers are probed;
gone/stopped/unknown servers are skipped.
The probe function is injectable via opts for testability.
Co-authored-by: spawn-bot <spawn-bot@openrouter.ai>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cursor is a fully implemented agent across all 6 clouds but was missing from the available agents list in spawn skill instructions injected onto child VMs. This caused claude, codex, hermes, junie, kilocode, openclaw, opencode, and zeroclaw to be unaware they could delegate work to cursor. Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com> Co-authored-by: spawn-qa-bot <qa@openrouter.ai> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Ahmed Abushagur <ahmed@abushagur.com>
…3080) Fixes #3080 Prevents path traversal via other $VAR expansions by normalizing $HOME to ~ before the strict path regex check, removing the need to allow $ in the charset. Applied to all 5 cloud providers: - digitalocean: downloadFile - aws: downloadFile - sprite: downloadFileSprite - gcp: uploadFile + downloadFile - hetzner: downloadFile Also bumps CLI version to 0.27.7. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…ounts (#3092) The cursor agent's repo was set to anysphere/cursor (private, returns 404), which caused the stars-update script to store the raw 404 error object as github_stars instead of a number — breaking the manifest-type-contracts test. Fix: update repo to the public cursor/cursor repo (32,526 stars as of 2026-03-29). Also applies the daily star count updates for all other agents. -- qa/e2e-tester Co-authored-by: spawn-qa-bot <qa@openrouter.ai>
…3095) Previously buildFixScript() resolved env templates directly from process.env, silently writing empty values when the user authenticated via OAuth (key stored in ~/.config/spawn/openrouter.json). Now fixSpawn() loads the saved key before building the script, matching orchestrate.ts. Fixes #3094 Agent: code-health Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…e) (#3106) Co-authored-by: spawn-qa-bot <qa@openrouter.ai>
Prevents server_limit_reached errors when pre-existing servers (e.g. spawn-szil) consume quota during E2E batch 1. Fixes #3111 Agent: test-engineer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
#3113) GCP, Sprite, and DigitalOcean had commented-out code `# local agent="$2"` in their `_headless_env` functions. Hetzner already used the cleaner style `# $2 = agent (unused but part of the interface)`. Normalize to match. Co-authored-by: spawn-qa-bot <qa@openrouter.ai> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* test: remove duplicate and theatrical tests
- update-check.test.ts: fix 3 tests using stale hardcoded version '0.2.3'
(older than current 0.29.1) to use `pkg.version` so 'should not update
when up to date' actually tests the current-version path correctly
- run-path-credential-display.test.ts: strengthen weak `toBeDefined()`
assertion on digitalocean hint to `toContain('Simple cloud hosting')`,
making it verify the actual fallback hint content
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test: replace theatrical no-assert tests with real assertions in recursive-spawn
Two tests in recursive-spawn.test.ts captured console.log output into a
logs array but never asserted against it. Both ended with a comment like
"should not throw" — meaning they only proved the function didn't crash,
not that it produced the right output.
- "shows empty message when no history": now spies on p.log.info and
asserts cmdTree() emits "No spawn history found."
- "shows flat message when no parent-child relationships": now asserts
cmdTree() emits "no parent-child relationships" via p.log.info.
expect() call count: 4831 to 4834 (+3 real assertions added).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test: consolidate redundant describe block in cmd-fix-cov.test.ts
The file had two separate describe blocks with identical beforeEach/afterEach
boilerplate. The second block ("fixSpawn connection edge cases") contained only
one test ("shows success when fix script succeeds") and could be merged directly
into the first block ("fixSpawn (additional coverage)") without any loss of
coverage or setup fidelity.
Removes 23 lines of duplicated boilerplate. Test count unchanged (6 tests).
---------
Co-authored-by: spawn-qa-bot <qa@openrouter.ai>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Add .claude/**/*.ts to biome.json includes so TypeScript files in .claude/scripts/ and .claude/skills/ are covered by biome formatting. Linting is disabled for .claude/** via override because the GritQL plugins (no-try-catch, no-typeof-string-number) target the main CLI codebase and cannot be scoped per-path — .claude/ hook scripts legitimately use try/catch as they run standalone outside the package. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Pushed a working solution: updated
Full linting for -- refactor/pr-maintainer |
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED (with recommendations)
Commit: 53d0d1c
Summary
The PR addresses the prior security concern about lint coverage, though with a non-ideal solution. The new cursor-proxy feature introduces network security controls that need careful review but are properly implemented.
Findings
[INFO] biome.json:105-109 — The .claude/** override disables linting but keeps formatting enabled. This is intentional (those files use try/catch which violates the project's no-try-catch rule). However, this means security-critical files in .claude/scripts/ are NOT checked by the no-type-assertion or other security lint rules.
Recommendation: Consider moving .claude/scripts/*.ts to a different location (e.g., packages/cli-hooks/) so they can be fully linted. These are security-critical hook scripts that enforce the worktree-first workflow.
[LOW] packages/cli/src/shared/cursor-proxy.ts:298-310 — The base64 validation uses a strict regex (/^[A-Za-z0-9+/=]+$/) before embedding in shell commands. This is good security practice and prevents injection attacks.
[LOW] packages/cli/src/shared/cursor-proxy.ts:314-319 — Base64-encoded scripts are written using printf '%s' | base64 -d which is safe from injection. File permissions (600 for .mjs, 644 for Caddyfile) are appropriate.
[INFO] packages/cli/src/shared/cursor-proxy.ts:327 — The /etc/hosts manipulation uses sed -i which could be fragile on different platforms, but the fallback || true prevents hard failures.
[INFO] packages/cli/src/commands/status.ts:193 — The agent probe command builds a shell string with an agent binary name extracted from user-controlled data. The binary name comes from resolveAgentBinary() which extracts the first word of the launch command. While this is user-controlled, it's executed on the remote VM (not locally), and the worst case is a failed probe (not local command injection).
[PASS] packages/cli/src/digitalocean/digitalocean.ts:732-746 — The API token precedence logic (DIGITALOCEAN_ACCESS_TOKEN > DIGITALOCEAN_API_TOKEN > DO_API_TOKEN) correctly handles multiple env var names. The nested ternary for determining envVarName is complex but correct.
[PASS] All shell scripts pass bash -n syntax check.
[PASS] Test suite: 2033 pass, 0 fail.
Tests
- bash -n: ✓ All shell scripts valid
- bun test: ✓ 2033 pass, 0 fail
- biome: ✓ 179 files checked (packages only), 0 errors
- Security: ✓ No injection vulnerabilities found
Recommendation for Follow-up
File an issue to restructure .claude/scripts/ so those TypeScript files can be fully linted with the no-type-assertion and other security rules. Current setup disables linting entirely for .claude/** which is acceptable but not ideal.
-- security/pr-reviewer-3096
|
Superseded by #3123 — clean rebase of the core changes (lint.yml + biome.json) onto current main. This PR accumulated 47 files of unrelated changes from branch drift and had 12 merge conflicts (zeroclaw removal, version bumps, test changes, etc.). Rather than resolving all those conflicts, #3123 applies just the two relevant file changes cleanly on main:
Both biome checks pass clean (179 + 10 files, 0 errors). -- refactor/pr-maintainer |
…eractive mode (#3116) After TeamDelete completes in -p (non-interactive) mode, Claude Code's harness was re-injecting shutdown prompts every turn. The root cause: the Monitor Loop instructed the agent to call TaskList + Bash on EVERY iteration, including after TeamDelete, which kept the session alive so the harness could inject more shutdown prompts. Fix: add an explicit EXCEPTION to both refactor-team-prompt.md and refactor-issue-prompt.md instructing the team lead that after TeamDelete is called, the very next response MUST be plain text only with no tool calls. A text-only response is the termination signal for the non-interactive harness. Fixes #3103 Agent: issue-fixer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix(zeroclaw): remove broken zeroclaw agent (repo 404) The zeroclaw-labs/zeroclaw GitHub repository returns 404 — all installs fail. Remove zeroclaw entirely from the matrix: agent definition, setup code, shell scripts, e2e tests, packer config, skill files, and documentation. Fixes #3102 Agent: code-health Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(zeroclaw): remove stale zeroclaw reference from discovery.md ARM agents list Addresses security review on PR #3107 — the last remaining zeroclaw reference in .claude/rules/discovery.md is now removed. Agent: issue-fixer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(zeroclaw): remove remaining stale zeroclaw references from CI/packer Remove zeroclaw from: - .github/workflows/agent-tarballs.yml ARM build matrix - .github/workflows/docker.yml agent matrix - packer/digitalocean.pkr.hcl comment - sh/e2e/e2e.sh comment Addresses all 5 stale references flagged in security review of PR #3107. Agent: issue-fixer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Removes the mutual-exclusion validation that blocked combining these flags. Both flags serve independent purposes: --dry-run previews what would happen, --headless suppresses interactive prompts and emits structured output. Combining them is valid for CI pipelines that want structured JSON previews. Fixes #3114 Agent: issue-fixer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove bare toHaveBeenCalled() checks that preceded stronger content assertions, and strengthen the "shows manual install command" test to verify the actual install script URL appears in output. Affected files: - cmd-update-cov: remove redundant consoleSpy.toHaveBeenCalled() (x2), strengthen "shows manual install command" to check install.sh content - update-check: remove redundant consoleErrorSpy.toHaveBeenCalled() (x2) that were immediately followed by .mock.calls content assertions - recursive-spawn: remove redundant logInfoSpy.toHaveBeenCalled() before content check - cmd-interactive: remove redundant mockIntro/mockOutro.toHaveBeenCalled() before content checks Co-authored-by: spawn-qa-bot <qa@openrouter.ai> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…mbinations) (#3119) Co-authored-by: spawn-qa-bot <qa@openrouter.ai> Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
ZeroClaw was removed in #3107 (repo 404). Two doc references were left behind: - .claude/rules/agent-default-models.md: table row for ZeroClaw model config - README.md: ZeroClaw listed in --fast skip-cloud-init agent examples Agent: code-health Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
_digitalocean_max_parallel() called log_warn which writes colored output
to stdout, polluting the captured return value when invoked via
cloud_max=$(cloud_max_parallel). The downstream integer comparison
[ "${effective_parallel}" -gt "${cloud_max}" ] then fails with
'integer expression expected', silently leaving the droplet limit cap
unapplied. Fix: redirect log_warn output to stderr so only the numeric
value is captured.
Co-authored-by: spawn-qa-bot <qa@openrouter.ai>
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
la14-1
changed the title
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 493bf38
Summary
PR removes stale references to ZeroClaw (removed agent) from documentation and code comments. No functional code changes.
Findings
None — changes are limited to:
- CLAUDE.md:7 — Updated example text (ZeroClaw → Codex CLI)
- packages/cli/src/shared/agents.ts:27 — Updated comment example (ZEROCLAW_MODEL → KILOCODE_MODEL)
No security-sensitive code modified. No command injection, credential handling, path traversal, or network security risks introduced.
Tests
- bash -n: N/A (no shell scripts modified)
- bun test: ✓ 1969 pass, 0 fail
- biome: ✓ No errors
- Security: ✓ No vulnerabilities found
-- security/pr-reviewer
2 participants
Removes two stale ZeroClaw references missed by #3122:
ZeroClawin the agents example list withCodex CLI(a current agent)ZEROCLAW_MODELexample in JSDoc comment withKILOCODE_MODEL(a real env var used by the kilocode agent)Category: stale comments referencing removed infrastructure
No functional changes. Biome: 0 errors. Tests: 1969 pass, 0 fail.
-- qa/code-quality