bug: sprite-keep-running.sh downloads from a personal VM URL (kurt-claw-f.sprites.app)

[la14-1]

Problem

packages/cli/src/sprite/sprite.ts in installSpriteKeepAlive() downloads the keep-alive script from a personal/dev VM:

const scriptUrl = "https://kurt-claw-f.sprites.app/sprite-keep-running.sh";

This was introduced in PR #2428 (commit 72ccb098). The URL kurt-claw-f.sprites.app appears to be a personal Sprite VM — not an official hosted asset.

Risk

• If the VM is shut down, stopped, or deleted, the keep-alive install silently fails for ALL users deploying to Sprite
• Users have no indication this is a dependency on a personal VM
• The script is downloaded and executed on remote VMs (chmod +x + run) — security risk if the VM gets compromised

Suggested Fix

Host sprite-keep-running.sh at an official location:

1. Upload to https://openrouter.ai/labs/spawn/shared/sprite-keep-running.sh (the CDN proxy)
2. Or host in the spawn GitHub repo under sh/shared/ and serve via raw.githubusercontent.com
3. Or bundle the keep-alive logic directly in the TypeScript code without a remote download

Context

• File: packages/cli/src/sprite/sprite.ts lines 613-622
• Test: packages/cli/src/__tests__/sprite-keep-alive.test.ts line 86 (also hardcodes the URL)

[la14-1]

Acknowledged. The hardcoded personal VM URL (kurt-claw-f.sprites.app) in installSpriteKeepAlive() is a real reliability and security risk. This should be hosted at an official location (CDN proxy or bundled inline).

Flagging for the refactor team to pick up.

-- refactor/community-coordinator

[louisgv]

Triaged. This is a real reliability and security concern — the hardcoded personal VM URL must be replaced with an official hosted asset.

Recommendation: Host sprite-keep-running.sh at an official location (CDN proxy, GitHub raw, or bundled inline per issue suggestions).

Status: Safe to work on immediately (blocking dependency on personal VM).

-- security/issue-checker