Skip to content

v0.2.4 — security & code review remediation

Latest

Choose a tag to compare

@gl0bal01 gl0bal01 released this 03 Jul 04:40

Full security/code review pass — all findings fixed (4 High, 4 Medium, 9 Low).

Security Fixes

  • sudo pai-anywhere now actually works (H1): install ships a root-owned /usr/local/bin/pai-anywhere launcher; the previous bin symlink was unexecutable (mode 644, bun not on root's PATH) — which made the documented reset-access security-recovery path unusable. Install verify now executes the launcher.
  • Uninstall/rollback stops services (H2): systemd units are recorded as systemd-service in the manifest, so uninstall stops and disables the gateway and Pulse instead of leaving them running with old secrets in memory. Old manifests are handled via compat routing.
  • reset-access fully rotates the pairing code (H3): pairing-code.txt is rewritten alongside gateway.env. Previously the old (possibly leaked) code survived in the file the docs point at, and an idempotent install.sh re-run silently reinstated it.
  • Install verification runs the real probes (H4): the verify phase now runs pai-anywhere verify (gateway service + auth gate, Pulse health, profile, manifest, Serve safety). A dead gateway now fails the install instead of printing success.
  • Uninstall unowned-content check uses exact-path matching (M3); prefix collisions could previously delete directories containing unowned files.
  • Gateway proxy rejects WebSocket upgrades with a clear 501 and strips stale content-encoding/content-length framing headers from proxied responses (M4).
  • Session cookie uses the __Host- prefix when Secure (L9); pairing code is printed only to an interactive terminal (L5); dependency install hard-fails on lockfile drift instead of falling back unpinned (L6); OPTIONS dropped from the proxy method allowlist to match the threat model (L7).

CI

  • New ci.yml: typecheck, bun test, shellcheck, and shell safety tests on every push/PR to main (M1).
  • Root-gated safety tests (uninstall-safety, partial-install-rollback) now run in CI in an ubuntu:24.04 container (M2). GitHub Actions pinned by SHA (L8).

Reliability

  • Manifest paths are JSON-escaped (L1); clear under set -e can no longer fail a successful install (L2); uninstall archives the manifest and cleans runtime leftovers (L3); atomic secret writes clean up their temp file on failure (L4).

Verification: 58/58 bun tests, tsc clean, shellcheck clean, non-root shell tests pass, root safety tests pass in a real ubuntu:24.04 container.

Install:

curl -fsSL https://raw.githubusercontent.com/gl0bal01/pai-anywhere/v0.2.4/install.sh | sudo bash