[spark-compete wave 1] install & build right — 30 PRs → 6 consolidated commits#1455
Draft
vibeforge1111 wants to merge 6 commits into
Draft
[spark-compete wave 1] install & build right — 30 PRs → 6 consolidated commits#1455vibeforge1111 wants to merge 6 commits into
vibeforge1111 wants to merge 6 commits into
Conversation
…ormed-script tolerance, unicode injection defense Consolidates spark-compete Wave-1 input-hardening PRs: - #1432 sanitize module name from git URL (path traversal) — @ifeoluwaaj - #1434 validate column names vs allowlist before SQL interpolation — @ifeoluwaaj - #1423 tolerate malformed package scripts — @Aeyod7 - #1425 unicode normalization in prompt-injection scanner (homoglyph evasion) — @ifeoluwaaj Maintainer completion: added tests/test_prompt_injection_unicode.py covering normalize_unicode + homoglyph-obfuscated injection detection (#1425 headline shipped untested). Co-authored-by: ifeoluwaaj <ifeoluwaaj@users.noreply.github.com> Co-authored-by: Aeyod7 <Aeyod7@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ntity-mutation commands Consolidates spark-compete Wave-1 approval PRs (@mrxlolcat): - #1440 require approval for docker exec, nsenter, chroot (container_privilege_escalation) - #1441 require approval for user/group/credential mutations (identity_access_mutation) adopt_interim: this CLI-surface approval classifier is the still-live gate; on the CLI->harness-core migration it must be re-homed into the Governor approval classifier (authority plane), not left as string matching. No data migration. Maintainer completion: hand-merged #1441's classifier block (line-drift conflict with #1440 in approval.py/test_cli.py) and added tests/test_approval_wave1.py. Co-authored-by: mrxlolcat <mrxlolcat@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ace dedup, SPARK_HOME write-guard, restart/SSH/install fixes Consolidates spark-compete Wave-1 CLI-robustness PRs (resurrected from reviewed-but-unadopted): - #239 accurate error when provider key is managed externally — @mrxlolcat - #241 save partial doctor report even when LLM probe fails — @mrxlolcat - #238 deduplicate trace repair queue entries — @mrxlolcat - #246 exclude SPARK_HOME from write_denied_prefixes (unblocks live start/update) — @mrxlolcat - #81 restart exit code, stop_module PID safety, SSH JSON error, install.sh word-split — @binance1230 - #210 Windows installer preflight when python3 app alias fails — @codex Maintainer completion: 3-way rebased onto current master; stripped the bundled registry.json commit-pin bumps (unauthorized attestation-pin regression). Co-authored-by: mrxlolcat <mrxlolcat@users.noreply.github.com> Co-authored-by: binance1230 <binance1230@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…fallback Consolidates spark-compete Wave-1 CLI-UX PRs (resurrected): - #242 helpful menus for bare 'spark os' / 'spark providers' / 'spark support' — @mrxlolcat - #240 helpful message for bare 'spark recommend' + clarify --desktop help — @mrxlolcat - #283 Android/Termux Desktop fallback when ~/Desktop does not exist — @johncrossu Maintainer completion: applied #240 paired with #242's required=False relax (else the guard is dead code); stripped #283's bundled registry.json bump. Co-authored-by: mrxlolcat <mrxlolcat@users.noreply.github.com> Co-authored-by: johncrossu <johncrossu@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…acing CLI output Consolidates nine spark-compete Wave-1 path-redaction PRs (all @Esc1200) into one coherent pass — credited as a single systemic group (ruleset v2 §5.2), not nine fixes: - #1406 secret file path leak in error message - #1408 redact paths from spawn failure errors - #1421 redact SPARK_HOME from purge safety error - #1422 generic text for manifest_path in SystemExit messages - #1424 redact browser-use print paths (basename reference kept) - #1429 remove internal path leaks from CLI prints - #1430 redact hook/log paths from list output - #1409 redact internal paths from gaps markdown report - #1426 remove operator/log path leaks Maintainer completion: - narrowed _PATH_REDACT_RE to anchor POSIX paths to known roots + ~ + Windows drives, so URL paths (/api/v2/users) and slashy text (and/or, 3/4) are no longer over-redacted; - removed compete-packet-operator-path-leak.json accidentally committed in #1426. Co-authored-by: Esc1200 <Esc1200@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…--lines help, uninstall-feedback + list/output cleanups Consolidates remaining spark-compete Wave-1 CLI-output PRs: - #1428 inspect_builder_event_samples top_trace_refs cap — @4gjnbzb4zf-sudo - #1410 Builder overlap probes report matched count without disclosing the match — @4gjnbzb4zf-sudo - #1407 'spark live logs --lines' help text — @4gjnbzb4zf-sudo - #1427 remove internal module paths from CLI list/status output — @Esc1200 - #1439 preserve uninstall feedback when a named target hits empty registry — @4gjnbzb4zf-sudo Maintainer completion: - #1407/#1410: dropped ALL bundled registry.json commit-pin bumps (unauthorized attestation regression); kept only the cli.py help string / probe_cap fields; - #1427: dropped the leaked trailing module.path column instead of duplicating the name column (the PR's {module.path}->{module.name} swap created a dup); - #1439: hardened args.target access with getattr(args, "target", None). Co-authored-by: 4gjnbzb4zf-sudo <4gjnbzb4zf-sudo@users.noreply.github.com> Co-authored-by: Esc1200 <Esc1200@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spark Compete — Wave 1: "install & build right" (first installer release)
First execution wave from the Spark Compete maintainer audit. Consolidates 30 reviewed-and-accepted Wave-1 PRs (open + resurrected-from-closed) into 6 coherent, conflict-free commits on the install/build surface. Merging the 30 branches individually would cascade conflicts on
cli.py; this groups them by concern with maintainer-completion applied.Commits
normalize_unicodetest.SPARK_HOMEwrite-guard (fix(cli): exclude SPARK_HOME from write_denied_prefixes — unblocks live start / update on root installs #246), restart/SSH/install fixes (fix: restart exit code, stop_module PID safety, SSH JSON error, install.sh word splitting #81), Windows installer preflight (Fix Windows installer preflight when python3 app alias fails #210)._PATH_REDACT_REnarrowed to real filesystem roots so URL paths aren't over-redacted; removed an accidentally-committed packet file.--lineshelp ([spark-compete] enhance(spark): spark live logs --lines flag has no help text; operators can't tell 0=all from 0=new-only #1407), uninstall feedback +args.targetguard (fix(cli): preserve uninstall feedback when a named target hits empty registry #1439), list-output path cleanup ([spark-compete] fix: remove internal module paths from CLI output and status notes #1427).Maintainer changes worth review
registry.jsoncommit-pin bumps from [spark-compete] enhance(spark): spark live logs --lines flag has no help text; operators can't tell 0=all from 0=new-only #1407/[spark-compete] fix(builder): Builder overlap probes report matched count without disclosing the 500-id sample cap #1410/[spark-compete] fix: fallback Desktop path for Android/Termux where ~/Desktop does not exist #283/Fix Windows installer preflight when python3 app alias fails #210 — they regressedgit-commit-pin-v1attestations to stale forked commits (flagged in security review).args.targetaccess; narrowed the redaction regex; hand-merged [spark-compete] fix(security): require approval for user and group account mutations #1441's classifier (line-drift with [spark-compete] fix(security): require approval for docker exec, nsenter, and chroot #1440).Verification
python -m compileall src/spark_cliclean; new tests (test_prompt_injection_unicode.py,test_approval_wave1.py) pass; full suite runs in CI.Excluded
driasim/"Rayiea Hub" fraud PRs (README no-op markers behind fabricated CVSS packets) and duplicate-splits are not here — zero credit per ruleset v2 §5.1.
🤖 Generated with Claude Code