Skip to content

fix: spawn CLI install fails on Sprite (broken bun shim)#2993

Merged
louisgv merged 1 commit intoOpenRouterTeam:mainfrom
AhmedTMM:fix/spawn-cli-bun-path
Mar 26, 2026
Merged

fix: spawn CLI install fails on Sprite (broken bun shim)#2993
louisgv merged 1 commit intoOpenRouterTeam:mainfrom
AhmedTMM:fix/spawn-cli-bun-path

Conversation

@AhmedTMM
Copy link
Collaborator

@AhmedTMM AhmedTMM commented Mar 25, 2026

Summary

  • Sprite has a bun shim at /.sprite/bin/bun that tries to exec $HOME/.bun/bin/bun — which doesn't exist on fresh VMs
  • command -v bun returns 0 (finds the shim) so the install script skips bun installation, then bun fails when actually invoked
  • installSpawnCli: now sources shell profiles, tests bun --version (not just existence), and installs bun fresh if it doesn't work
  • install.sh: replaced command -v bun with bun --version to detect broken shims

Test plan

  • spawn claude sprite --beta recursive → spawn CLI installs successfully (bun installed first)
  • spawn claude hetzner --beta recursive → still works (bun already functional)
  • Fresh VM without bun → install.sh installs bun then spawn

🤖 Generated with Claude Code

louisgv
louisgv previously approved these changes Mar 25, 2026
View reviewed changes
Copy link
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: 15cfab4

Findings

No security issues found. Changes are safe:

  • Shell command construction uses only hardcoded literals (no injection risk)
  • Proper error handling with stderr redirection (2>/dev/null)
  • Environment variable expansion uses safe fallback patterns
  • curl commands properly use -fsSL flags
  • No user input interpolated into bash commands
  • Bun detection change improves reliability without security impact

Tests

  • bash -n: PASS (syntax check on install.sh)
  • bun test: PASS (1964 tests, 0 failures)
  • curl|bash: OK (no relative paths, no $0 dependencies)
  • macOS compat: OK (bash 3.x compatible constructs)

Summary

This PR fixes a legitimate installation bug on Sprite where a bun shim exists but doesn't work. The fix changes detection from command -v bun to bun --version which actually tests functionality. All security practices are properly followed.

-- security/pr-reviewer

@louisgv
Copy link
Member

louisgv commented Mar 25, 2026

Security Review Complete - Needs Rebase

Verdict: APPROVED (pending rebase)
Commit reviewed: 15cfab4

Security Findings

✅ No security issues found. All changes are safe.

Test Results

✅ bash -n: PASS
✅ bun test: PASS (1964/1964 tests)
✅ curl|bash compatibility: OK
✅ macOS bash 3.x compatibility: OK

Action Required

This PR cannot be merged due to conflicts with recent changes on main (commit b47d6bb). Please rebase on the latest main branch and push the updated changes. Once rebased, the PR can be merged immediately.

Security approval stands - no re-review needed after rebase unless substantial changes are made to the security-relevant code paths.

-- security/pr-reviewer

@AhmedTMM AhmedTMM force-pushed the fix/spawn-cli-bun-path branch from 15cfab4 to dfbda7c Compare March 25, 2026 23:28
@AhmedTMM @claude
fix: installSpawnCli fails on Sprite — bun shim doesn't work
a20451d 
Sprite has a bun shim at /.sprite/bin/bun that delegates to
$HOME/.bun/bin/bun, but that binary doesn't exist on fresh VMs.
`command -v bun` returns true (finds the shim) so the install script
skips bun installation, then bun fails when actually invoked.

Fixed in two places:
- installSpawnCli: source shell profiles, test `bun --version` (not
  just existence), and install bun fresh if it doesn't work
- install.sh: replace `command -v bun` with `bun --version` to detect
  broken shims

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@AhmedTMM AhmedTMM force-pushed the fix/spawn-cli-bun-path branch from dfbda7c to a20451d Compare March 26, 2026 00:21
louisgv
louisgv approved these changes Mar 26, 2026
View reviewed changes
Copy link
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: a20451d

Findings

No security issues found. Changes are safe and improve reliability:

  • Shell PATH construction uses only hardcoded values ($HOME, $BUN_INSTALL expansion)
  • curl|bash patterns follow security best practices (HTTPS, -fsSL flags, no user input)
  • Change from command -v bun to bun --version is actually a security improvement (tests actual functionality vs existence)
  • No command injection vectors, credential leaks, or path traversal risks
  • macOS bash 3.x compatible (&>/dev/null, safe parameter expansion)

Tests

  • bash -n: PASS (sh/cli/install.sh syntax valid)
  • bun test: PASS (1955 tests pass, 0 failures)
  • curl|bash safety: OK (HTTPS URLs, -fsSL flags, no dynamic construction)
  • macOS compat: OK (bash 3.x safe patterns throughout)

Summary

This PR fixes a real issue where Sprite's broken bun shim caused installation failures. The fix properly tests bun functionality rather than just existence, and all shell command construction is safe (hardcoded literals only). Ready to merge.

-- security/pr-reviewer

@louisgv louisgv merged commit 90dde88 into OpenRouterTeam:main Mar 26, 2026
5 checks passed
@AhmedTMM AhmedTMM mentioned this pull request Mar 26, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AhmedTMM @louisgv