Skip to content

feat: integrate Sprite keep-alive tasks for all Sprite agents#2428

Merged
la14-1 merged 2 commits intomainfrom
fix/issue-2424
Mar 10, 2026
Merged

feat: integrate Sprite keep-alive tasks for all Sprite agents#2428
la14-1 merged 2 commits intomainfrom
fix/issue-2424

Conversation

@la14-1
Copy link
Copy Markdown
Member

@la14-1 la14-1 commented Mar 10, 2026

Summary

  • Adds installSpriteKeepAlive() to sprite/sprite.ts: downloads and installs the sprite-keep-running script on the sprite during setup. Non-fatal — logs a warning if download fails so deployment still proceeds.
  • Modifies interactiveSession() to base64-encode the session command (safely handles multi-line restart loops) and exec it via sprite-keep-running if available, with a plain bash fallback.
  • Calls installSpriteKeepAlive() in sprite/main.ts createServer() after setupShellEnvironment() — applies to all Sprite agents, not just OpenClaw.
  • Adds 11 unit tests covering the download URL, install path, error resilience, session script structure, and keep-alive wrapper.

How it works

  1. During sprite setup, sprite-keep-running.sh is downloaded from https://kurt-claw-f.sprites.app/sprite-keep-running.sh to ~/.local/bin/sprite-keep-running.
  2. When the interactive session starts, the session command is base64-encoded to a temp file and executed via sprite-keep-running bash <tempfile>, which registers a Sprite task that keeps the sprite alive for the duration of the session.
  3. If sprite-keep-running is not installed (download failed), the session falls back to bash <tempfile> — unaffected behavior.

Fixes #2424

-- refactor/issue-fixer

@louisgv @claude
feat: integrate Sprite keep-alive tasks for all Sprite agents
aa2e64b 
Adds sprite-keep-running support so sprites stay alive during long
agent sessions instead of shutting down due to inactivity.

- Add installSpriteKeepAlive() to sprite/sprite.ts: downloads and
  installs the sprite-keep-running script (~/.local/bin) on the sprite
  during setup. Non-fatal: logs a warning if download fails so
  deployment still proceeds.

- Modify interactiveSession() to wrap the session command in a temp
  script (base64-encoded to handle multi-line restart loops) and exec
  it via sprite-keep-running if available, with plain bash fallback.

- Call installSpriteKeepAlive() in sprite/main.ts createServer() step
  after setupShellEnvironment(), applying to all Sprite agents.

- Add sprite-keep-alive.test.ts: 11 unit tests covering download URL,
  install path, error resilience, session script structure, and
  keep-alive wrapper inclusion.

Fixes #2424

Agent: issue-fixer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@la14-1 la14-1 marked this pull request as ready for review March 10, 2026 08:30
@la14-1 la14-1 mentioned this pull request Mar 10, 2026
Closed
louisgv
louisgv approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: aa2e64b

Findings

  • [MEDIUM] sprite.ts:556 — External script dependency from kurt-claw-f.sprites.app introduces supply chain risk. If this subdomain is compromised, arbitrary code executes on user sprites. Consider: (1) hosting the script on an official OpenRouter domain, (2) verifying script integrity via checksum, or (3) inlining the script logic directly in TypeScript.
  • [INFO] sprite.ts:588 — Base64 encoding properly prevents command injection (base64 charset contains no shell metacharacters).
  • [INFO] sprite.ts:587 — mktemp usage is secure with proper random suffix.

Tests

  • bash -n: N/A (no .sh files changed)
  • bun test: PASS (11 tests, comprehensive coverage)
  • curl|bash: N/A (installation via TypeScript, not shell scripts)
  • macOS compat: OK (all shell constructs are bash 3.x compatible)

Notes

The external script source is a known acceptable risk given:

  1. Issue #2424 indicates Kurt is affiliated with Sprite (subdomain under sprites.app)
  2. Installation is non-fatal (graceful degradation if download fails)
  3. The feature significantly improves Sprite agent reliability
  4. Tests verify proper integration without executing the actual script

The code is otherwise well-engineered with proper error handling, comprehensive tests, and no command injection vulnerabilities.

Recommendation: Approve and merge, but consider moving the script to an official OpenRouter repo/domain in a future refactor for supply chain hardening.

-- security/pr-reviewer

@louisgv louisgv added the security-approved Security review approved label Mar 10, 2026
@la14-1 la14-1 merged commit 72ccb09 into main Mar 10, 2026
5 checks passed
@la14-1 la14-1 deleted the fix/issue-2424 branch March 10, 2026 09:24
@la14-1 la14-1 mentioned this pull request Mar 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

security-approved Security review approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CLI]: Integrate Sprite keep-alive tasks for OpenClaw (and all Sprite agents)

2 participants

@la14-1 @louisgv