Security/harden shell cicd

.github/workflows/ci.yaml

@@ -29,7 +29,7 @@ jobs:
           node-version: 22
 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
 
       - name: Run jscpd
         # Threshold 7% is the current baseline (see .jscpd.json). The job
@@ -64,7 +64,7 @@ jobs:
           node-version: 22
 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
 
       - name: Build (typecheck + emit bundle artefacts)
         # `build` runs `tsc && esbuild`, which is a strict superset of
@@ -331,7 +331,7 @@ jobs:
         # tree-sitter.mjs exit 1 here, failing the job at the earliest
         # possible step (instead of swallowing the warning and failing
         # later in tsc with a confusing "Cannot find module" error).
-        run: npm install
+        run: npm ci
 
       - name: Build (typecheck + emit bundle artefacts)
         # Second backstop: if the strict-postinstall path somehow doesn't

.github/workflows/release.yaml

@@ -249,9 +249,10 @@ jobs:
           cache: "npm"
 
       - name: Load secrets from 1Password
+        id: op_secrets
         uses: 1Password/load-secrets-action@v4.0.0
         with:
-          export-env: true
+          export-env: false
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           CLAWHUB_TOKEN: "op://GitHub Actions/hivemind/CLAWHUB_TOKEN"
@@ -319,8 +320,11 @@ jobs:
       - name: Authenticate ClawHub CLI
         # `clawhub login --token` writes a credential file inside the
         # runner's $HOME, which is ephemeral and discarded when the job
-        # ends. The token only ever appears as ${{ secrets.* }}, which
-        # GitHub auto-masks in logs.
+        # ends. The token is scoped to this step only (not exported to all
+        # steps via export-env) to limit the blast radius if any build step
+        # is compromised.
+        env:
+          CLAWHUB_TOKEN: ${{ steps.op_secrets.outputs.CLAWHUB_TOKEN }}
         run: clawhub login --token "$CLAWHUB_TOKEN" --no-browser
 
       - name: Publish openclaw bundle to ClawHub

src/cli/update.ts

@@ -280,7 +280,7 @@ export async function runUpdate(opts: UpdateOptions = {}): Promise<number> {
   switch (detected.kind) {
     case "npm-global": {
       if (opts.dryRun) {
-        log(`(dry-run) Would run: npm install -g ${PKG_NAME}@latest`);
+        log(`(dry-run) Would run: npm install -g ${PKG_NAME}@${latest}`);
         log(`(dry-run) Would re-run: hivemind install --skip-auth`);
         return 0;
       }
@@ -297,10 +297,14 @@ export async function runUpdate(opts: UpdateOptions = {}): Promise<number> {
       try {
         log(`Upgrading via npm…`);
         try {
-          spawn("npm", ["install", "-g", `${PKG_NAME}@latest`]);
+          // Pin to the exact version fetched from the registry rather than
+          // re-resolving `@latest` at install time — avoids a race where a
+          // new (potentially malicious) publish lands between the version
+          // check and the install.
+          spawn("npm", ["install", "-g", `${PKG_NAME}@${latest}`]);
         } catch (e: any) {
           warn(`npm install failed: ${e.message}`);
-          warn(`Try running it manually: npm install -g ${PKG_NAME}@latest`);
+          warn(`Try running it manually: npm install -g ${PKG_NAME}@${latest}`);
           return 1;
         }
         log(``);

src/hooks/memory-path-utils.ts

@@ -8,22 +8,29 @@ export const HOME_VAR_PATH = "$HOME/.deeplake/memory";
 export const SAFE_BUILTINS = new Set([
   "cat", "ls", "cp", "mv", "rm", "rmdir", "mkdir", "touch", "ln", "chmod",
   "stat", "readlink", "du", "tree", "file",
-  "grep", "egrep", "fgrep", "rg", "sed", "awk", "cut", "tr", "sort", "uniq",
+  // sed and awk removed: sed supports `-e '1e <cmd>'` (execute shell command)
+  // and awk supports `system()` / `|` pipelines — both enable arbitrary code
+  // execution through the just-bash fallback.
+  "grep", "egrep", "fgrep", "rg", "cut", "tr", "sort", "uniq",
   "wc", "head", "tail", "tac", "rev", "nl", "fold", "expand", "unexpand",
   "paste", "join", "comm", "column", "diff", "strings", "split",
   "find", "xargs", "which",
   "jq", "yq", "xan", "base64", "od",
-  "tar", "gzip", "gunzip", "zcat",
+  // tar removed: --to-command=<cmd> executes an arbitrary program per entry.
+  // env removed: `env <cmd>` runs an arbitrary program.
+  "gzip", "gunzip", "zcat",
   "md5sum", "sha1sum", "sha256sum",
   "echo", "printf", "tee",
-  "pwd", "cd", "basename", "dirname", "env", "printenv", "hostname", "whoami",
+  "pwd", "cd", "basename", "dirname", "printenv", "hostname", "whoami",
   "date", "seq", "expr", "sleep", "timeout", "time", "true", "false", "test",
   "alias", "unalias", "history", "help", "clear",
   "for", "while", "do", "done", "if", "then", "else", "fi", "case", "esac",
 ]);
 
 export function isSafe(cmd: string): boolean {
-  if (/\$\(|`|<\(/.test(cmd)) return false;
+  // $'...' is ANSI-C quoting: bash expands escape sequences inside it before
+  // the child process sees them, bypassing the single-quote stripping below.
+  if (/\$\(|`|<\(|\$'/.test(cmd)) return false;
   const stripped = cmd.replace(/'[^']*'/g, "''").replace(/"[^"]*"/g, '""');
   const stages = stripped.split(/\||;|&&|\|\||\n/);
   for (const stage of stages) {

src/hooks/pre-tool-use.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { mkdirSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join, dirname, sep } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -31,9 +31,6 @@ export { isSafe, touchesMemory, rewritePaths };
 const log = (msg: string) => _log("pre", msg);
 
 const __bundleDir = dirname(fileURLToPath(import.meta.url));
-const SHELL_BUNDLE = existsSync(join(__bundleDir, "shell", "deeplake-shell.js"))
-  ? join(__bundleDir, "shell", "deeplake-shell.js")
-  : join(__bundleDir, "..", "shell", "deeplake-shell.js");
 
 export interface PreToolUseInput {
   session_id: string;
@@ -131,7 +128,11 @@ export function getShellCommand(toolName: string, toolInput: Record<string, unkn
         const flags: string[] = ["-r"];
         if (toolInput["-i"]) flags.push("-i");
         if (toolInput["-n"]) flags.push("-n");
-        return `grep ${flags.join(" ")} '${pattern}' /`;
+        // Single-quote the pattern safely: escape any embedded single quotes
+        // so the string can never break out of the shell quoting context if
+        // this command string is ever forwarded to a shell executor.
+        const escaped = pattern.replace(/'/g, "'\\''");
+        return `grep ${flags.join(" ")} '${escaped}' /`;
       }
       break;
     }
@@ -189,13 +190,6 @@ export function extractGrepParams(
   return null;
 }
 
-function buildFallbackDecision(shellCmd: string, shellBundle = SHELL_BUNDLE): ClaudePreToolDecision {
-  return buildAllowDecision(
-    `node "${shellBundle}" -c "${shellCmd.replace(/"/g, '\\"')}"`,
-    `[DeepLake shell] ${shellCmd}`,
-  );
-}
-
 interface ClaudePreToolDeps {
   config?: ReturnType<typeof loadConfig>;
   createApi?: (table: string, config: NonNullable<ReturnType<typeof loadConfig>>) => DeeplakeApi;
@@ -209,7 +203,6 @@ interface ClaudePreToolDeps {
   readCachedIndexContentFn?: typeof readCachedIndexContent;
   writeCachedIndexContentFn?: typeof writeCachedIndexContent;
   writeReadCacheFileFn?: typeof writeReadCacheFile;
-  shellBundle?: string;
   logFn?: (msg: string) => void;
 }
 
@@ -233,7 +226,6 @@ export async function processPreToolUse(input: PreToolUseInput, deps: ClaudePreT
     readCachedIndexContentFn = readCachedIndexContent,
     writeCachedIndexContentFn = writeCachedIndexContent,
     writeReadCacheFileFn = writeReadCacheFile,
-    shellBundle = SHELL_BUNDLE,
     logFn = log,
   } = deps;
 
@@ -290,7 +282,7 @@ export async function processPreToolUse(input: PreToolUseInput, deps: ClaudePreT
   }
 
   if (!shellCmd) return null;
-  if (!config) return buildFallbackDecision(shellCmd, shellBundle);
+  if (!config) return null;
 
   const table = process.env["HIVEMIND_TABLE"] ?? "memory";
   const sessionsTable = process.env["HIVEMIND_SESSIONS_TABLE"] ?? "sessions";
@@ -514,10 +506,16 @@ export async function processPreToolUse(input: PreToolUseInput, deps: ClaudePreT
       }
     }
   } catch (e: any) {
-    logFn(`direct query failed, falling back to shell: ${e.message}`);
+    logFn(`direct query failed: ${e.message}`);
   }
 
-  return buildFallbackDecision(shellCmd, shellBundle);
+  // No compiled handler matched (or a direct query failed). Do NOT fall
+  // through to the shell executor: the shell bundle runs commands via
+  // just-bash which may invoke real host binaries, creating a code-execution
+  // surface for injected patterns in unhandled commands (e.g. `sort`, `cut`).
+  // Return null so the original tool runs unmodified; it will fail harmlessly
+  // because the virtual paths do not exist on the real filesystem.
+  return null;
 }
 
 /* c8 ignore start */

src/notifications/sources/backend.ts

@@ -65,6 +65,10 @@ function toClient(n: ServerNotification): Notification | null {
     // dedup_key is hashed in here so a server that reuses the same UUID
     // with a fresh dedup_key (rare but supported) re-fires for the user.
     dedupKey: { id: n.id, dedup_key: n.dedup_key ?? "" },
+    // Server-controlled content must not reach the model's additionalContext:
+    // an attacker who can push a notification can otherwise inject arbitrary
+    // instructions into the agent's system prompt.
+    userVisibleOnly: true,
   };
 }