Files
goclaw/docs/packages-github.md
T
Duy /zuey/ 4472c607b8 feat(workstation): Remote Workstation Runtime — SSH exec + security + audit (#4)
* feat(packages): add update flow for GitHub binaries (#900)

Closes #900. Proactive update-check + atomic swap for GitHub-installed
binaries on the Runtime & Packages page. Interfaces prepared for pip/npm/apk
extension in Phase 2.

- UpdateCache + UpdateRegistry + PackageLocker (ctx-aware keyed mutex)
- GitHubUpdateChecker: ETag-aware, distinct /latest vs /list ETag keys,
  semver-correct ordering via golang.org/x/mod/semver, non-semver fallback
  that refuses to downgrade, pre-release + stable candidate fusion for
  the v1.0.0-rc.1 -> v1.0.0 transition
- GitHubUpdateExecutor: two-phase .bak swap with hadBackup-aware rollback,
  manifest save retry (3x, 100ms/500ms/1s backoff), nil-safe meta access,
  explicit ScratchDir, 0755 set pre-rename
- HTTP: GET /v1/packages/updates (SWR), POST /v1/packages/updates/refresh,
  POST /v1/packages/update, POST /v1/packages/updates/apply-all
  (always 200, failed[] is error source). Master-scope gated.
- WS events package.update.{checked,started,succeeded,failed} forwarded to
  owner clients via event_filter.go
- Frontend: useUpdates hook + 3 components (summary bar, update-all modal,
  row button), master-scope-gated disabled state
- i18n: 8 backend keys + 17 frontend keys x en/vi/zh
- Config: packages.github_token (reserved), updates_check_ttl, scratch_dir
- 45+ new tests, race-clean, BenchmarkCheckAll10Packages ~1.1ms/op warm

* docs(packages): document update flow + Phase 1 completion

- packages-github.md: "Updating Installed Packages" section with UI + API
  contract, troubleshooting runbook (corrupt cache, rate-limit, scratch dir,
  mid-swap recovery)
- 17-changelog.md + CHANGELOG.md: Phase 1 entry
- 14-skills-runtime.md: cross-ref to update flow
- journal entry capturing CRIT fixes (double-write, lock-key mismatch,
  rollback false-alarm) + design wins (keyed locks, red-team pre-flight)

* feat(workstation): remote workstation runtime — SSH exec + security + audit

Adds generic Remote Workstation Runtime enabling agents to execute commands
on user-owned SSH workstations. Includes registry (DB + API + UI), SSH backend
with connection pool and circuit breaker, workstation.exec + claude_remote tools,
NFKC + binary-name allowlist security, and audit logging.

Standard edition only. Closes #941.

* fix(workstation): address 3 critical + 5 important code review findings

- C1: Add json:"-" to Metadata/DefaultEnv fields; use SanitizedView() in
  all API responses to prevent SSH private key leakage
- C2: Wire CheckEnv into PermCheckFn; LD_PRELOAD/PATH injection now blocked
- C3: SSH Setenv fallback — prepend `export K=V;` when server rejects Setenv
- I1: BackendCache sync.RWMutex → sync.Mutex (fix data race on lastUsed)
- I2: Validate metadata shape in handleUpdate before store write
- I3: Include command in exec-done event; activity sink uses actual cmd hash
- I4: Wrap pool release in sync.Once (idempotent double-call safety)
- I5: Verify workstation tenant ownership before adding permissions

* fix(packages): bypass HTTPS+IP validation in update executor tests

Test httptest servers bind to http://127.0.0.1 which fails both the
HTTPS scheme check and literal-IP SSRF guard. Add testSkipDownloadValidation
flag (same pattern as existing withTestDownloadHosts) to skip full URL
validation in test context.

* fix(workstation): address Claude review findings — tenant isolation + pool leak + dead code

- Activity list: add workstation ownership check before listing
  (prevents cross-tenant activity enumeration via known UUID)
- SSH pool: clean up p.sem + p.circuits maps in CloseWorkstation,
  prune, and Close to prevent unbounded map growth
- RPC handlers: return ErrInvalidRequest on JSON unmarshal failure
  instead of silently using zero-value params
- Remove unused containsControlChars function in normalize.go
- HTTP tests: add 10s context timeout to prevent CI package timeout

* fix(workstation): DefaultEnv JSON parse, backend cache leak, perm ownership check

- DefaultEnv: replace KEY=VALUE text parse with json.Unmarshal (stored as
  JSON by HTTP handler, was silently ignored)
- BackendCache: close losing backend on concurrent cache miss to prevent
  pruneLoop goroutine leak
- Backend interface: add Close() error method; SSHBackend delegates to
  pool.Close()
- handlePermList: add wsStore.GetByID ownership check (prevents cross-tenant
  UUID enumeration returning empty array vs 404)
- scanRows: log scan errors instead of silently skipping

* fix(workstation): wire activity sink shutdown + remove misleading comment

- WireActivitySink: capture cleanup func, register in gateway shutdown
  (was discarded → retention goroutine leaked + buffered rows lost)
- Add Stop() to WorkstationActivityStore interface (PG+SQLite already had it)
- wireWorkstationTools returns cleanup func; gateway.go defers it
- Remove misleading "re-validate env" comment in allowlist.go Check()

* ci: bump unit test timeout from 90s to 120s

hooks/handlers package (goja script tests) consumes ~85s on cold CI
runners, leaving insufficient headroom for HTTP retry tests with 1s
backoff. 120s provides adequate breathing room without masking real
deadlocks.

* fix: compile errors in integration tests + allowlist docstring

- packages_update_test: add missing lockKey arg to registry.Apply
- mcp_grant_revoke_test: remove unused fakeMCPClient struct
- allowlist.go: fix Check() docstring to match actual 3-step pipeline

* fix(test): relax mcp grant revoke assertion for pre-Phase02 state

Execute-time grant checking not yet wired — test correctly gets an
error but the message is "no active client" (nil clientPtr) rather
than "grant revoked". Accept any error as valid regression guard.

* chore: trigger CI on digitopvn/goclaw fork

* ci: retrigger workflows

* fix(permissions): classify workstation methods in RBAC policy
2026-05-11 14:58:19 +07:00

9.7 KiB
Raw Blame History

GitHub Binary Installer

Install CLI tools directly from GitHub Releases at runtime. Covers Go, Rust, shell, and other binary-distributed tools not available via apk / pip / npm.

Closes #741.

Install Syntax

github:owner/repo[@tag]

Examples:

  • github:cli/cli → latest release
  • github:jesseduffield/lazygit@v0.42.0 → specific version
  • github:sharkdp/fd@v9.0.0 → specific version with dot separator

How It Works

  1. Fetches release metadata from the GitHub API
  2. Auto-selects asset matching linux + current arch (amd64 / arm64)
  3. Streams download to a temp file, enforcing a max size cap
  4. Verifies SHA256 if the publisher ships checksums.txt / SHA256SUMS
  5. Validates ELF magic bytes + 64-bit class + machine matches runtime arch
  6. Extracts archive safely (tar.gz / zip / raw binary) with path-traversal + zip-bomb guards
  7. Installs to /app/data/.runtime/bin/ (prepended to $PATH)
  8. Persists a manifest for later listing + uninstall

Usage

Web UI

  1. Admin Settings → Packages page
  2. Scroll to GitHub Binaries section
  3. Enter owner/repo[@tag] or click Browse releases to pick a version
  4. Click Install

HTTP API

# Install
curl -X POST http://gateway/v1/packages/install \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"package": "github:jesseduffield/lazygit@v0.42.0"}'

# List installed (includes pip/npm/system + github)
curl http://gateway/v1/packages -H "Authorization: Bearer $ADMIN_TOKEN"

# Browse releases (picker UI uses this)
curl 'http://gateway/v1/packages/github-releases?repo=cli/cli&limit=10' \
  -H "Authorization: Bearer $VIEWER_TOKEN"

# Uninstall
curl -X POST http://gateway/v1/packages/uninstall \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"package": "github:lazygit"}'

Admin Configuration

All configuration is driven by environment variables — never place the token in config.json.

Env var Default Notes
GOCLAW_PACKAGES_GITHUB_TOKEN "" Optional PAT: rate 60/hr → 5000/hr + private repo access
GOCLAW_PACKAGES_MAX_ASSET_SIZE_MB 200 Applies to both download cap and 2× uncompressed cap
GOCLAW_PACKAGES_GITHUB_ALLOWED_ORGS "" Comma-separated allowlist (empty = all orgs allowed)
GOCLAW_PACKAGES_GITHUB_BIN_DIR /app/data/.runtime/bin Where extracted binaries land
GOCLAW_PACKAGES_GITHUB_MANIFEST {bin_dir}/../github-packages.json Manifest path

Token scopes:

  • public-only repos: no scopes required
  • private repos: repo
  • org-SSO-enforced repos: must be SSO-authorized PAT

Security

  • HTTPS-only downloads with SSRF host allowlist: github.com, api.github.com, objects.githubusercontent.com, release-assets.githubusercontent.com, codeload.github.com
  • Every redirect hop re-validated (blocks redirect-based host escape)
  • Literal IP hostnames (v4 / v6) always rejected (blocks cloud-metadata access)
  • SHA256 verification when publisher ships checksums.txt / SHA256SUMS (constant-time compare)
  • ELF magic + 64-bit class + machine-arch validation before chmod +x
  • Path-traversal prevention in archive extraction (rejects .., absolute, Windows drive, null byte)
  • Zip-bomb guard (cumulative uncompressed bytes capped at 2× max asset size)
  • Symlink / hardlink entries skipped, never written
  • Admin-only API + master-scope guard on install/uninstall
  • Picker endpoint /v1/packages/github-releases throttled per user (30 req/min, burst 10) to protect GitHub API quota; anonymous fallback keyed by remote IP. Response is 429 Too Many Requests with Retry-After: 60 when tripped.
  • Token never logged (startup log prints token_set=bool)

Troubleshooting

"glibc not found" / segfault on execution

GoClaw runs on Alpine Linux (musl libc). Many Go/Rust binaries target glibc.

Fix: pick a musl-compatible release asset. Look for names containing:

  • *-musl.tar.gz (explicit musl)
  • *-linux-static* (fully static)
  • Go binaries with CGO_ENABLED=0 typically work out of the box

Known-good musl releases:

  • ripgrep: ripgrep-*-x86_64-unknown-linux-musl.tar.gz
  • starship: starship-x86_64-unknown-linux-musl.tar.gz
  • gh: gh_*_linux_amd64.tar.gz (static)

"no matching asset found"

Asset naming doesn't fit the heuristic. Open the release page and confirm assets exist for linux + your arch. Workaround: file an upstream issue asking for standard linux_amd64 / linux_arm64 naming.

"arch mismatch"

Binary is amd64 but runtime is arm64 (or vice versa). Pick a release asset matching the host arch — the release picker UI filters automatically.

"rate limit exceeded"

Anonymous GitHub API is capped at 60 req/hr. Set GOCLAW_PACKAGES_GITHUB_TOKEN to bump to 5000/hr.

"checksum mismatch"

Hard-fail. Indicates tampered download or publisher re-signing without updating the release. Do not force-install; report upstream.

Limitations (Phase 1)

  • Linux-only (Lite/Desktop editions not yet supported)
  • Docker edition only (runtime dir /app/data/.runtime/bin)
  • Installs all top-level executables in an archive (no interactive picker if archive contains multiple binaries)
  • No version history / rollback — re-installing replaces in place
  • Global manifest (not per-tenant)

Updating Installed Packages

Update flow is Phase 1 GitHub-only (pip/npm/apk deferred to Phase 2).

UI

The Runtime & Packages page renders a summary bar above the GitHub Binaries section when updates are available:

┌─────────────────────────────────────────────────────────┐
│ 🟡 3 updates available                                   │
│    Last checked 5m ago   [Refresh]  [Update All]        │
└─────────────────────────────────────────────────────────┘

Per-row [Update] buttons appear next to each package with a newer release. Clicking applies the update via atomic .bak swap with automatic rollback on failure.

API

All write endpoints require master-scope admin (tenant admins are denied):

Endpoint Purpose
GET /v1/packages/updates Cache snapshot + {stale, ageSeconds, ttlSeconds} (operator+)
POST /v1/packages/updates/refresh Force sync CheckAll — fetch from GitHub
POST /v1/packages/update Apply one: body {"package":"github:lazygit","toVersion":"v0.44.5"}
POST /v1/packages/updates/apply-all Sequential apply; body {"packages":[...]} (empty = all). Always returns 200 — inspect failed[]

Behaviour

  • Stale-while-revalidate: GET /updates returns the cached snapshot immediately and triggers a background refresh if the cache is older than packages.updates_check_ttl (default 1h).
  • ETag: responses use If-None-Match, so repeated checks cost zero rate-limit budget (304 responses don't count against 60/hr).
  • Pre-releases: if your current tag matches (-alpha|-beta|-rc|-pre|-preview|-dev|-nightly), the checker polls both /releases/latest and /releases?per_page=5 and picks the newest via golang.org/x/mod/semver.Compare. This correctly handles the v1.0.0-rc.1 → v1.0.0 stable transition.
  • Non-semver tags (e.g. 2024-01-15): string-compare fallback. Never downgrades — if the candidate string is lexically less than current, the update is suppressed.
  • Atomic swap: two-phase rename. Phase A renames ALL current binaries to {name}.bak.{unixNano}; Phase B renames the new binaries in place. On any failure during Phase B, Phase A's renames are rolled back. Manifest is persisted AFTER all swaps succeed, with retries (100ms/500ms/1s).

WebSocket events

Owner clients receive (non-owner master admins use the HTTP API directly):

package.update.checked    {count, checked_at}
package.update.started    {source, name, from_version, to_version}
package.update.succeeded  {source, name, from_version, to_version, duration_ms}
package.update.failed     {source, name, reason}

Troubleshooting Updates

"Binary updated but manifest save failed" (manifestDesynced=true)

The .bak files are deleted but the manifest didn't record the new version. Next update attempt will re-apply the same version. Manual recovery is not required — just run the update again OR restart the gateway (which re-reads the manifest). No data loss.

Corrupt updates cache

Symptom: UI shows no updates available despite newer releases.

Recovery: delete /app/data/.runtime/updates-cache.json, click [Refresh].

Rate-limit exhaustion

Symptom: Refresh returns 429 or check returns partial results.

Check response header X-RateLimit-Reset (Unix epoch). Wait or set packages.github_token in config (Phase 2 auth — unwired in Phase 1).

Scratch dir leftover after crash

Path: {BinDir}/../tmp/{name}-{tag}-{nanos}/

Safe to remove any {name}-*-* directory under tmp after ensuring no active update is in flight. Phase 2 will add startup GC.

Mid-swap process crash

Phase 1 leaves .bak.{nanos} files on disk. Manual recovery:

  1. Check {BinDir} for *.bak.* files.
  2. If the main binary is MISSING, rename the .bak.{nanos} back to the original name.
  3. If the main binary EXISTS but is the new version you wanted, delete the .bak.{nanos}.
  4. Re-run the update via UI — idempotent.

See Also