feat: pre-built agent tarballs for fast install (#2232)

* feat: pre-built agent tarballs on GitHub Releases for fast install

Adds a nightly GitHub Actions workflow that builds and uploads agent
tarballs to rolling GitHub Releases. During provisioning, the CLI now
attempts to download and extract a tarball before falling back to live
install. Priority chain: snapshot > tarball > live install.

- New workflow: .github/workflows/agent-tarballs.yml
- New capture script: packer/scripts/capture-agent.sh
- New module: packages/cli/src/shared/agent-tarball.ts
- Orchestrate tries tarball first on non-local clouds
- Skip tarball when using DO snapshot (skipTarball flag)
- Tests for tarball install + orchestration integration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use global.fetch mock pattern and address security review

- Use `global.fetch = mock(...)` instead of `spyOn(globalThis, "fetch")`
  to match codebase convention and fix CI mock interception
- Add URL validation regex to reject shell metacharacters (CRITICAL)
- Add agent name validation in workflow input (MEDIUM)
- Add `jq has()` check before executing install commands (CRITICAL)
- Use `tar -T` instead of unquoted word-splitting in capture-agent.sh (MEDIUM)
- Resolve merge conflicts with upstream/main (keep Docker fields, adapt
  to simplified DO flow, bump version to 0.15.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use globalThis.fetch for testability in CI

Bun's native fetch binding doesn't go through global.fetch property
lookup, so global.fetch = mock(...) doesn't intercept it. Using
globalThis.fetch explicitly ensures the mock interception works.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing packer dependencies and harden install command safety

- Add packer/agents.json (agent tier + install command definitions)
- Add packer/scripts/tier-{minimal,node,bun,full}.sh (dependency scripts)
- Add basic command safety check rejecting suspicious patterns
- Document packer/agents.json as a trust boundary requiring PR review

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tarballs): fix npm prefix mismatch, add apt-get update, cleanup

- Add apt-get update -y before apt-get install in all tier scripts
- Add --prefix ~/.npm-global to npm install commands in agents.json
  so installed packages land where capture-agent.sh expects them
- Rename misleading MARKER_DIR → MARKER_FILE in capture-agent.sh
- Remove stale comment referencing packer snapshots in workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tarballs): detect empty agent installs in capture script

The "no files found" check was dead code — the marker file is always
created before filtering, so FILTERED_FILE always had at least one
entry. Now we count non-marker entries to catch cases where the agent
install silently fails and no actual files are on disk.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tarballs): use bare fetch() for Bun mock compatibility in CI

In Bun, global.fetch = mock(...) overrides bare fetch() calls but NOT
globalThis.fetch() calls. Every other source file in the codebase uses
bare fetch() and their mocks work fine in CI. Switch to match.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tarballs): use dependency injection for fetch in tests

Bun's global.fetch mock doesn't reliably intercept bare fetch() calls
across all Bun versions in CI. Instead of fighting the runtime, accept
an optional fetchFn parameter (defaults to fetch) and pass mock fetch
directly in tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tarballs): bypass mock.module bleed in agent-tarball tests

orchestrate.test.ts uses mock.module("../shared/agent-tarball", ...)
which is process-global in Bun and bleeds into agent-tarball.test.ts.
Import via URL (import.meta.url resolution) to bypass the specifier-
based mock matching and get the real module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tarballs): eliminate mock.module bleed between test files

Bun's mock.module is process-global — orchestrate.test.ts mocking
agent-tarball poisoned agent-tarball.test.ts (the mock function
ignored the fetchFn parameter and always returned false).

Fix: make tryTarballInstall injectable via OrchestrationOptions.
orchestrate.test.ts passes the mock directly via options instead
of using mock.module. agent-tarball.test.ts imports the real module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tests): mock Bun.which in credential priority tests

Tests assumed no cloud CLIs were installed, but machines with hcloud/
doctl would get "CLI installed" hint overrides, failing the assertion.
Spy on Bun.which to return null so tests are environment-independent.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: fix import ordering after rebase

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* security: add curl domain allowlist and expand command blocklist

Addresses security review findings:
- Add domain allowlist for curl/wget targets (claude.ai, opencode.ai,
  raw.githubusercontent.com, registry.npmjs.org, crates.io, github.com)
- Expand suspicious command blocklist (python -c, perl -e, ruby -e, dd, /dev/)
- Document 4-layer security model in workflow comments

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* security: add rm -rf to command blocklist

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: AhmedTMM

.github/workflows/agent-tarballs.yml

@@ -0,0 +1,147 @@
+name: Agent Tarballs
+
+on:
+  schedule:
+    # 5 AM UTC daily
+    - cron: "0 5 * * *"
+  workflow_dispatch:
+    inputs:
+      agent:
+        description: "Single agent to build (leave empty for all)"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      agents: ${{ steps.set-matrix.outputs.agents }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: set-matrix
+        env:
+          AGENT_INPUT: ${{ inputs.agent }}
+        run: |
+          if [ -n "${AGENT_INPUT:-}" ]; then
+            # Validate: agent name must be alphanumeric/hyphens only
+            if ! printf '%s' "${AGENT_INPUT}" | grep -qE '^[a-z][a-z0-9-]*$'; then
+              echo "::error::Invalid agent name: ${AGENT_INPUT}"
+              exit 1
+            fi
+            echo "agents=$(jq -cn --arg a "${AGENT_INPUT}" '[$a]')" >> "$GITHUB_OUTPUT"
+          else
+            echo "agents=$(jq -c 'keys' packer/agents.json)" >> "$GITHUB_OUTPUT"
+          fi
+
+  build:
+    needs: matrix
+    runs-on: ubuntu-latest
+    strategy:
+      max-parallel: 3
+      fail-fast: false
+      matrix:
+        agent: ${{ fromJson(needs.matrix.outputs.agents) }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install agent under /root
+        env:
+          AGENT_NAME: ${{ matrix.agent }}
+        run: |
+          set -eo pipefail
+
+          # Validate agent exists in agents.json (prevents path traversal / injection)
+          if ! jq -e --arg a "${AGENT_NAME}" 'has($a)' packer/agents.json > /dev/null; then
+            echo "::error::Unknown agent: ${AGENT_NAME}"
+            exit 1
+          fi
+
+          # Read the agent's tier from packer/agents.json
+          TIER=$(jq -r --arg a "${AGENT_NAME}" '.[$a].tier' packer/agents.json)
+          echo "==> Agent: ${AGENT_NAME}, Tier: ${TIER}"
+
+          # Run tier script (sets up node/bun/etc. under /root)
+          if [ -f "packer/scripts/tier-${TIER}.sh" ]; then
+            echo "==> Running tier script: tier-${TIER}.sh"
+            sudo HOME=/root bash "packer/scripts/tier-${TIER}.sh"
+          fi
+
+          # TRUST BOUNDARY: packer/agents.json is version-controlled and requires
+          # PR review to modify. Install commands are executed via bash -c, so any
+          # change to agents.json MUST be reviewed carefully for command safety.
+          #
+          # Security layers:
+          #   1. agents.json changes require PR review (branch protection)
+          #   2. curl/wget targets validated against domain allowlist
+          #   3. Suspicious command patterns rejected via blocklist
+          #   4. Runs in ephemeral GitHub Actions container (destroyed after each run)
+          echo "==> Installing agent..."
+
+          # Allowed domains for curl/wget downloads (official agent vendor domains)
+          ALLOWED_DOMAINS="claude.ai|opencode.ai|raw.githubusercontent.com|registry.npmjs.org|crates.io|github.com"
+
+          CMD_COUNT=$(jq -r --arg a "${AGENT_NAME}" '.[$a].install | length' packer/agents.json)
+          i=0
+          while [ "$i" -lt "$CMD_COUNT" ]; do
+            cmd=$(jq -r --arg a "${AGENT_NAME}" --argjson i "$i" '.[$a].install[$i]' packer/agents.json)
+
+            # Safety layer 1: reject suspicious command patterns
+            if printf '%s' "${cmd}" | grep -qE '(mktemp|eval |base64 -d|/dev/tcp|nc -[elp]|python[23]? -c|perl -e|ruby -e|\bdd\b|>[[:space:]]*/dev/|rm -rf)'; then
+              echo "::error::Suspicious install command rejected: ${cmd}"
+              exit 1
+            fi
+
+            # Safety layer 2: validate curl/wget URLs against domain allowlist
+            if printf '%s' "${cmd}" | grep -qE '(curl|wget)'; then
+              urls=$(printf '%s' "${cmd}" | grep -oE 'https?://[^[:space:]"|'\'']+' || true)
+              for url in ${urls}; do
+                domain=$(printf '%s' "${url}" | sed -E 's|^https?://([^/]+).*|\1|')
+                if ! printf '%s' "${domain}" | grep -qE "^(${ALLOWED_DOMAINS})$"; then
+                  echo "::error::curl/wget to unapproved domain '${domain}' in: ${cmd}"
+                  exit 1
+                fi
+              done
+            fi
+
+            echo "==> Running: ${cmd}"
+            sudo HOME=/root bash -c "${cmd}"
+            i=$((i + 1))
+          done
+
+      - name: Capture agent files into tarball
+        env:
+          AGENT_NAME: ${{ matrix.agent }}
+        run: |
+          set -eo pipefail
+          sudo bash packer/scripts/capture-agent.sh "${AGENT_NAME}"
+
+      - name: Create or update GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AGENT_NAME: ${{ matrix.agent }}
+        run: |
+          set -eo pipefail
+          TAG="agent-${AGENT_NAME}-latest"
+          DATE=$(date -u +%Y%m%d)
+          TARBALL="spawn-agent-${AGENT_NAME}-x86_64-${DATE}.tar.gz"
+
+          # Move tarball to expected name
+          mv "/tmp/spawn-agent-${AGENT_NAME}.tar.gz" "${TARBALL}"
+
+          # Delete existing release if present (rolling release)
+          gh release delete "${TAG}" --yes 2>/dev/null || true
+
+          # Create fresh release with the tarball
+          gh release create "${TAG}" "${TARBALL}" \
+            --title "Agent tarball: ${AGENT_NAME} (${DATE})" \
+            --notes "Pre-built tarball for \`${AGENT_NAME}\` agent. Auto-generated nightly." \
+            --prerelease

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openrouter/spawn",
-  "version": "0.14.4",
+  "version": "0.15.0",
   "type": "module",
   "bin": {
     "spawn": "cli.js"

packages/cli/src/__tests__/agent-tarball.test.ts

@@ -0,0 +1,168 @@
+/**
+ * agent-tarball.test.ts — Tests for pre-built tarball install logic.
+ *
+ * Verifies that tryTarballInstall:
+ * - Queries the correct GitHub Release tag
+ * - Runs curl | tar on the remote via runner.runServer
+ * - Returns false when the release doesn't exist
+ * - Returns false when runner.runServer throws
+ * - Rejects URLs with shell injection characters
+ */
+
+import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from "bun:test";
+
+// Suppress stderr (logStep/logWarn) with a spy in beforeEach.
+
+const { tryTarballInstall } = await import("../shared/agent-tarball");
+
+// ── Helpers ──────────────────────────────────────────────────────────────
+
+function createMockRunner() {
+  return {
+    runServer: mock(() => Promise.resolve()),
+    uploadFile: mock(() => Promise.resolve()),
+  };
+}
+
+const RELEASE_PAYLOAD = {
+  assets: [
+    {
+      name: "spawn-agent-openclaw-x86_64-20260305.tar.gz",
+      browser_download_url:
+        "https://github.com/OpenRouterTeam/spawn/releases/download/agent-openclaw-latest/spawn-agent-openclaw-x86_64-20260305.tar.gz",
+    },
+  ],
+};
+
+// ── Tests ────────────────────────────────────────────────────────────────
+
+describe("tryTarballInstall", () => {
+  let stderrSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    stderrSpy = spyOn(process.stderr, "write").mockImplementation(() => true);
+  });
+
+  afterEach(() => {
+    stderrSpy.mockRestore();
+  });
+
+  /** Create a mock fetch that returns the given response. */
+  function mockFetch(response: Response): typeof fetch {
+    return mock(async () => response);
+  }
+
+  /** Create a mock fetch that captures the URL and returns the given response. */
+  function mockFetchCapture(response: Response): {
+    fetchFn: typeof fetch;
+    getUrl: () => string;
+  } {
+    let url = "";
+    const fetchFn: typeof fetch = mock(async (input: string | URL | Request) => {
+      url = String(input);
+      return response;
+    });
+    return {
+      fetchFn,
+      getUrl: () => url,
+    };
+  }
+
+  it("queries correct GitHub Release tag", async () => {
+    const { fetchFn, getUrl } = mockFetchCapture(new Response(JSON.stringify(RELEASE_PAYLOAD)));
+    const runner = createMockRunner();
+
+    await tryTarballInstall(runner, "openclaw", fetchFn);
+
+    expect(getUrl()).toContain("/releases/tags/agent-openclaw-latest");
+  });
+
+  it("runs curl | tar xz -C / on the remote VM", async () => {
+    const fetchFn = mockFetch(new Response(JSON.stringify(RELEASE_PAYLOAD)));
+    const runner = createMockRunner();
+
+    const result = await tryTarballInstall(runner, "openclaw", fetchFn);
+
+    expect(result).toBe(true);
+    expect(runner.runServer).toHaveBeenCalledTimes(1);
+    const cmd = String(runner.runServer.mock.calls[0][0]);
+    expect(cmd).toContain("curl -fsSL");
+    expect(cmd).toContain("tar xz -C /");
+    expect(cmd).toContain(".spawn-tarball");
+  });
+
+  it("returns false when release does not exist (404)", async () => {
+    const fetchFn = mockFetch(
+      new Response("Not Found", {
+        status: 404,
+      }),
+    );
+    const runner = createMockRunner();
+
+    const result = await tryTarballInstall(runner, "nonexistent", fetchFn);
+
+    expect(result).toBe(false);
+    expect(runner.runServer).not.toHaveBeenCalled();
+  });
+
+  it("returns false when runner.runServer throws", async () => {
+    const fetchFn = mockFetch(new Response(JSON.stringify(RELEASE_PAYLOAD)));
+    const runner = createMockRunner();
+    runner.runServer.mockImplementation(() => Promise.reject(new Error("SSH connection refused")));
+
+    const result = await tryTarballInstall(runner, "openclaw", fetchFn);
+
+    expect(result).toBe(false);
+  });
+
+  it("returns false when release has no .tar.gz asset", async () => {
+    const noTarball = {
+      assets: [
+        {
+          name: "README.md",
+          browser_download_url: "https://example.com",
+        },
+      ],
+    };
+    const fetchFn = mockFetch(new Response(JSON.stringify(noTarball)));
+    const runner = createMockRunner();
+
+    const result = await tryTarballInstall(runner, "openclaw", fetchFn);
+
+    expect(result).toBe(false);
+    expect(runner.runServer).not.toHaveBeenCalled();
+  });
+
+  it("returns false when release response has unexpected format", async () => {
+    const fetchFn = mockFetch(
+      new Response(
+        JSON.stringify({
+          unexpected: true,
+        }),
+      ),
+    );
+    const runner = createMockRunner();
+
+    const result = await tryTarballInstall(runner, "openclaw", fetchFn);
+
+    expect(result).toBe(false);
+  });
+
+  it("returns false when URL contains shell injection characters", async () => {
+    const malicious = {
+      assets: [
+        {
+          name: "evil.tar.gz",
+          browser_download_url: "https://github.com/x/y/releases/download/v1/a.tar.gz'; rm -rf / ; echo '",
+        },
+      ],
+    };
+    const fetchFn = mockFetch(new Response(JSON.stringify(malicious)));
+    const runner = createMockRunner();
+
+    const result = await tryTarballInstall(runner, "openclaw", fetchFn);
+
+    expect(result).toBe(false);
+    expect(runner.runServer).not.toHaveBeenCalled();
+  });
+});