Full security/code review pass — all findings fixed (4 High, 4 Medium, 9 Low).
Security Fixes
sudo pai-anywherenow actually works (H1): install ships a root-owned/usr/local/bin/pai-anywherelauncher; the previous bin symlink was unexecutable (mode 644, bun not on root's PATH) — which made the documentedreset-accesssecurity-recovery path unusable. Install verify now executes the launcher.- Uninstall/rollback stops services (H2): systemd units are recorded as
systemd-servicein the manifest, so uninstall stops and disables the gateway and Pulse instead of leaving them running with old secrets in memory. Old manifests are handled via compat routing. reset-accessfully rotates the pairing code (H3):pairing-code.txtis rewritten alongsidegateway.env. Previously the old (possibly leaked) code survived in the file the docs point at, and an idempotentinstall.shre-run silently reinstated it.- Install verification runs the real probes (H4): the verify phase now runs
pai-anywhere verify(gateway service + auth gate, Pulse health, profile, manifest, Serve safety). A dead gateway now fails the install instead of printing success. - Uninstall unowned-content check uses exact-path matching (M3); prefix collisions could previously delete directories containing unowned files.
- Gateway proxy rejects WebSocket upgrades with a clear 501 and strips stale
content-encoding/content-lengthframing headers from proxied responses (M4). - Session cookie uses the
__Host-prefix when Secure (L9); pairing code is printed only to an interactive terminal (L5); dependency install hard-fails on lockfile drift instead of falling back unpinned (L6);OPTIONSdropped from the proxy method allowlist to match the threat model (L7).
CI
- New
ci.yml: typecheck,bun test, shellcheck, and shell safety tests on every push/PR to main (M1). - Root-gated safety tests (uninstall-safety, partial-install-rollback) now run in CI in an ubuntu:24.04 container (M2). GitHub Actions pinned by SHA (L8).
Reliability
- Manifest paths are JSON-escaped (L1);
clearunderset -ecan no longer fail a successful install (L2); uninstall archives the manifest and cleans runtime leftovers (L3); atomic secret writes clean up their temp file on failure (L4).
Verification: 58/58 bun tests, tsc clean, shellcheck clean, non-root shell tests pass, root safety tests pass in a real ubuntu:24.04 container.
Install:
curl -fsSL https://raw.githubusercontent.com/gl0bal01/pai-anywhere/v0.2.4/install.sh | sudo bash