From defad85209c38948c9997f4418801a6f61a33698 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 10:46:57 -0700 Subject: [PATCH 01/24] feat(install): supply-chain hardening (#507) + fix Gemini crash on Windows (#506) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #507 items 1-2 and fixes #506. Issue #507 asked for version-pinned installs from a trusted source, immutable releases, and build-provenance attestations. This commit ships: - `--version v0.X.Y` / positional / `-Version` flag across all three installers (bash, PowerShell, cmd) so users can pin to reviewed versions. Default stays `latest` — every existing `curl | bash` / `irm | iex` invocation works unchanged. install.cmd gained `--version` as an alias to its existing positional form for surface-area consistency. - SLSA build provenance attestations via `actions/attest-build-provenance` (SHA-pinned to v4.1.0) in release.yml. Covers all 10 compiled binaries (5 plannotator + 5 paste-service). Top-level workflow permissions tightened from `contents: write` to `contents: read`, with per-job overrides where needed. Attestation step is gated on tag pushes so PR dry-runs don't pollute Sigstore's transparency log. - Opt-in provenance verification in all three installers, resolved via a three-layer precedence ladder: 1. CLI flag `--verify-attestation` / `-VerifyAttestation` 2. Env var `PLANNOTATOR_VERIFY_ATTESTATION=1` 3. Config `~/.plannotator/config.json` → `verifyAttestation: true` 4. Default off Off-by-default matches every major ecosystem installer (rustup, brew, bun, deno, helm) and avoids a UX failure for the majority of users who don't have `gh` installed or authenticated. Security-conscious users get three ergonomic opt-in paths. When enabled, the installer hard-fails if `gh` is missing so opt-in is never silently skipped. - `PlannotatorConfig.verifyAttestation?: boolean` added to `packages/shared/config.ts`. Pure additive schema change; no runtime consumer exists (the field is read only by the install scripts). No UI surface — this is an OS-level power-user knob only. - Documentation rewritten in README.md, apps/hook/README.md, and the marketing install page with both pinned-version examples and a "Verifying your install" section covering manual `gh attestation verify` and offline `cosign verify-blob` paths. - Release skill updated to note that the release pipeline now emits SLSA attestations and (post-merge) GitHub Immutable Releases will be enabled on the repo. Issue #506 (install.cmd crash on Windows when Gemini is present): Root cause was cmd.exe's `setlocal enabledelayedexpansion` eating `!` chars in the embedded `node -e "..."` Gemini settings merge script. Cmd's Phase 2 parser treated `!s.hooks)s.hooks={};if(!` as a variable expansion, corrupting the JS before node saw it. Fixed by rewriting the JS to use the `||` idiom (`s.hooks = s.hooks || {}`) which contains no `!` characters — semantically identical, and sidesteps cmd's parser entirely with no escape gymnastics and no new dependencies. Added regression test in scripts/install.test.ts that asserts the `||` form is present and `if(!s.hooks)` is absent, so re-introducing the bug would fail CI. Test suite expanded from 23 to 29 tests covering: - Gemini #506 regression - Three-layer opt-in wiring assertions for all three installers - install.sh guard check (the executable `gh attestation verify` call must live behind the `verify_attestation -eq 1` gate, so the default path never invokes gh) - PlannotatorConfig schema assertion Out of scope (tracked): - Immutable Releases toggle in repo Settings (one-click, post-merge). - SLSA Build L3 via `slsa-framework/slsa-github-generator` (requires restructuring release.yml around a reusable workflow). - Issue #507 item 3: UI update-cooldown setting. For provenance purposes, this commit was AI assisted. --- .agents/skills/release/SKILL.md | 3 + .github/workflows/release.yml | 23 ++- README.md | 38 +++++ apps/hook/README.md | 28 ++++ .../docs/getting-started/installation.md | 56 +++++++ packages/shared/config.ts | 8 + scripts/install.cmd | 84 ++++++++++- scripts/install.ps1 | 82 +++++++++- scripts/install.sh | 140 +++++++++++++++++- scripts/install.test.ts | 89 +++++++++++ 10 files changed, 535 insertions(+), 16 deletions(-) diff --git a/.agents/skills/release/SKILL.md b/.agents/skills/release/SKILL.md index bcb5f178..e86632d1 100644 --- a/.agents/skills/release/SKILL.md +++ b/.agents/skills/release/SKILL.md @@ -189,9 +189,12 @@ If anything is missing, fix it before proceeding to Phase 4. Common fixes: - Runs tests - Cross-compiles binaries for 5 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64) - Compiles paste service binaries (same 5 platforms) + - Generates SLSA build provenance attestations for all 10 binaries via `actions/attest-build-provenance` (signed through Sigstore, recorded in Rekor) - Creates the GitHub Release with all binaries attached - Publishes `@plannotator/opencode` and `@plannotator/pi-extension` to npm with provenance + **Note on immutable releases:** The repo has GitHub Immutable Releases enabled, so once the `v*` tag is pushed and the release is created, the tag→commit and tag→asset bindings are permanent. You cannot delete and re-create a tag to "fix" a bad release — you must ship a new version. Release notes remain editable (see step 5), but everything else is locked. + 4. **Monitor the pipeline:** Watch the release workflow run until it completes: ```bash diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e722713d..165b955e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,8 +15,7 @@ on: default: true permissions: - contents: write - id-token: write + contents: read env: DRY_RUN: ${{ !(startsWith(github.ref, 'refs/tags/') || inputs.dry-run == 'false') }} @@ -47,6 +46,10 @@ jobs: build: needs: test runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + attestations: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,6 +104,22 @@ jobs: bun build apps/paste-service/targets/bun.ts --compile --target=bun-windows-x64 --outfile plannotator-paste-win32-x64.exe sha256sum plannotator-paste-win32-x64.exe > plannotator-paste-win32-x64.exe.sha256 + - name: Generate SLSA build provenance attestation + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-path: | + plannotator-darwin-arm64 + plannotator-darwin-x64 + plannotator-linux-x64 + plannotator-linux-arm64 + plannotator-win32-x64.exe + plannotator-paste-darwin-arm64 + plannotator-paste-darwin-x64 + plannotator-paste-linux-x64 + plannotator-paste-linux-arm64 + plannotator-paste-win32-x64.exe + - name: Upload artifacts uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: diff --git a/README.md b/README.md index 9464e0ef..e93f8376 100644 --- a/README.md +++ b/README.md @@ -66,15 +66,53 @@ Plannotator lets you privately share plans, annotations, and feedback with colle **macOS / Linux / WSL:** ```bash +# Latest release curl -fsSL https://plannotator.ai/install.sh | bash + +# Pin to a specific reviewed version +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 ``` **Windows PowerShell:** ```powershell +# Latest release irm https://plannotator.ai/install.ps1 | iex + +# Pin to a specific reviewed version +& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 +``` + +### Verifying your install + +Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. To verify provenance manually: + +```bash +# Online (requires `gh auth login`) +gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator + +# Offline (no GitHub login required) +cosign verify-blob \ + --certificate-identity-regexp 'https://github.com/backnotprop/plannotator/.github/workflows/release.yml@.*' \ + --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ + ~/.local/bin/plannotator ``` +To make the installer run provenance verification automatically on every upgrade (opt-in): + +```bash +# One-shot +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation + +# Persistent via env var +export PLANNOTATOR_VERIFY_ATTESTATION=1 + +# Persistent via config file +echo '{ "verifyAttestation": true }' > ~/.plannotator/config.json +``` + +Precedence: CLI flag > env var > config file > default (off). When enabled, the installer requires `gh` installed and authenticated; otherwise it hard-fails. See [the full docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install) for details. + **Then in Claude Code:** ``` diff --git a/apps/hook/README.md b/apps/hook/README.md index 2f16ea0c..71318f6d 100644 --- a/apps/hook/README.md +++ b/apps/hook/README.md @@ -8,19 +8,47 @@ Install the `plannotator` command so Claude Code can use it: **macOS / Linux / WSL:** ```bash +# Latest release curl -fsSL https://plannotator.ai/install.sh | bash + +# Pin to a specific reviewed version +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 ``` **Windows PowerShell:** ```powershell +# Latest release irm https://plannotator.ai/install.ps1 | iex + +# Pin to a specific reviewed version +& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 ``` **Windows CMD:** ```cmd curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd && del install.cmd + +REM Pin to a specific reviewed version +curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version v0.17.1 && del install.cmd ``` +### Verifying your install + +Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. Manual verification: + +```bash +# Online (requires `gh auth login`) +gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator + +# Offline (no GitHub login required) +cosign verify-blob \ + --certificate-identity-regexp 'https://github.com/backnotprop/plannotator/.github/workflows/release.yml@.*' \ + --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ + ~/.local/bin/plannotator +``` + +Provenance verification is **off by default** in the installer. Enable auto-verification on every upgrade by passing `--verify-attestation` (bash/cmd) or `-VerifyAttestation` (PowerShell), exporting `PLANNOTATOR_VERIFY_ATTESTATION=1`, or setting `{ "verifyAttestation": true }` in `~/.plannotator/config.json`. When enabled, the installer requires `gh` installed and authenticated — see [the full docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). + --- [Plugin Installation](#plugin-installation) · [Manual Installation (Hooks)](#manual-installation-hooks) · [Obsidian Integration](#obsidian-integration) diff --git a/apps/marketing/src/content/docs/getting-started/installation.md b/apps/marketing/src/content/docs/getting-started/installation.md index 28eb4f2b..046b0d27 100644 --- a/apps/marketing/src/content/docs/getting-started/installation.md +++ b/apps/marketing/src/content/docs/getting-started/installation.md @@ -15,23 +15,79 @@ Install the `plannotator` command so your agent can use it. **macOS / Linux / WSL:** ```bash +# Latest release curl -fsSL https://plannotator.ai/install.sh | bash + +# Pin to a specific reviewed version +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 ``` **Windows PowerShell:** ```powershell +# Latest release irm https://plannotator.ai/install.ps1 | iex + +# Pin to a specific reviewed version +& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 ``` **Windows CMD:** ```cmd curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd && del install.cmd + +REM Pin to a specific reviewed version +curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version v0.17.1 && del install.cmd ``` The install script respects `CLAUDE_CONFIG_DIR` if set, placing hooks in your custom config directory instead of `~/.claude`. +### Verifying your install + +Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore and recorded in the public transparency log. The attestation cryptographically ties the binary to the exact commit and GitHub Actions workflow that built it. + +**Manual verification (recommended for one-off audits):** + +```bash +# Uses GitHub's attestation API — requires `gh auth login` +gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator +``` + +Or verify offline with cosign (no GitHub login required): + +```bash +cosign verify-blob \ + --certificate-identity-regexp 'https://github.com/backnotprop/plannotator/.github/workflows/release.yml@.*' \ + --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ + ~/.local/bin/plannotator +``` + +**Automatic verification during install/upgrade (opt-in):** + +Provenance verification is **off by default** in the installer — the same default every major `curl | bash` installer uses (rustup, brew, bun, deno, helm). SHA256 verification always runs. To have the installer additionally run `gh attestation verify` on every upgrade, enable it via any of the three mechanisms below. Precedence is CLI flag > env var > config file > default. + +1. **Per-install flag** (one-shot, explicit): + ```bash + curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation + ``` + PowerShell: `... -VerifyAttestation`. Windows cmd: `install.cmd --verify-attestation`. + +2. **Environment variable** (persist in your shell RC): + ```bash + export PLANNOTATOR_VERIFY_ATTESTATION=1 + ``` + Scoped to whichever shell sessions export it. Follows the same `PLANNOTATOR_*` convention as `PLANNOTATOR_REMOTE`, `PLANNOTATOR_PORT`, etc. + +3. **Config file** (persist shell-agnostic): + ```bash + mkdir -p ~/.plannotator + echo '{ "verifyAttestation": true }' > ~/.plannotator/config.json + ``` + Or merge into an existing `~/.plannotator/config.json`. This applies regardless of which shell launches the installer — useful for GUI-launched terminals on macOS or `install.cmd` run from Explorer on Windows. Managed easily by dotfiles / Ansible / other provisioning tools. + +When enabled, the installer requires `gh` CLI installed and authenticated (`gh auth login`). If `gh` is missing or the check fails, the install hard-fails so you don't silently skip verification you asked for. To force-skip for a single install, pass `--skip-attestation` (bash/cmd) or `-SkipAttestation` (PowerShell). + ## Claude Code ### Plugin marketplace (recommended) diff --git a/packages/shared/config.ts b/packages/shared/config.ts index 94e1a742..5aed0b0a 100644 --- a/packages/shared/config.ts +++ b/packages/shared/config.ts @@ -34,6 +34,14 @@ export interface PlannotatorConfig { conventionalComments?: boolean; /** null = explicitly cleared (use defaults), undefined = not set */ conventionalLabels?: CCLabelConfig[] | null; + /** + * Enable `gh attestation verify` during CLI installation/upgrade. + * Read by scripts/install.sh|ps1|cmd on every run (not by any runtime code). + * When true, the installer runs build-provenance verification after the + * SHA256 checksum check; requires `gh` CLI installed and authenticated + * (`gh auth login`). OS-level opt-in only — no UI surface. Default: false. + */ + verifyAttestation?: boolean; } const CONFIG_DIR = join(homedir(), ".plannotator"); diff --git a/scripts/install.cmd b/scripts/install.cmd index 07265ad8..51d36564 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -3,9 +3,40 @@ setlocal enabledelayedexpansion REM Plannotator Windows CMD Bootstrap Script -REM Parse command line argument +REM Parse command line arguments +set "VERSION=latest" +REM Three-layer opt-in for SLSA provenance verification. +REM Precedence: CLI flag > env var > %USERPROFILE%\.plannotator\config.json > default. +REM -1 = flag not set (fall through); 0 = disable; 1 = enable. +set "VERIFY_ATTESTATION_FLAG=-1" + +:parse_args +if "%~1"=="" goto args_done +if /i "%~1"=="--version" ( + if "%~2"=="" ( + echo --version requires an argument >&2 + exit /b 1 + ) + set "VERSION=%~2" + shift + shift + goto parse_args +) +if /i "%~1"=="--verify-attestation" ( + set "VERIFY_ATTESTATION_FLAG=1" + shift + goto parse_args +) +if /i "%~1"=="--skip-attestation" ( + set "VERIFY_ATTESTATION_FLAG=0" + shift + goto parse_args +) +REM Positional form: install.cmd v0.17.1 (legacy interface) set "VERSION=%~1" -if "!VERSION!"=="" set "VERSION=latest" +shift +goto parse_args +:args_done set "REPO=backnotprop/plannotator" set "INSTALL_DIR=%USERPROFILE%\.local\bin" @@ -105,6 +136,53 @@ if /i "!ACTUAL_CHECKSUM!" neq "!EXPECTED_CHECKSUM!" ( exit /b 1 ) +REM Resolve SLSA build-provenance verification opt-in. +REM Precedence: CLI flag > env var > config.json > default (off). +set "VERIFY_ATTESTATION=0" + +REM Layer 3: config file (lowest precedence of the opt-in sources). +if exist "%USERPROFILE%\.plannotator\config.json" ( + findstr /r /c:"\"verifyAttestation\"[ ]*:[ ]*true" "%USERPROFILE%\.plannotator\config.json" >nul 2>&1 + if !ERRORLEVEL! equ 0 set "VERIFY_ATTESTATION=1" +) + +REM Layer 2: env var (overrides config file). +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="1" set "VERIFY_ATTESTATION=1" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="true" set "VERIFY_ATTESTATION=1" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="yes" set "VERIFY_ATTESTATION=1" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="0" set "VERIFY_ATTESTATION=0" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="false" set "VERIFY_ATTESTATION=0" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="no" set "VERIFY_ATTESTATION=0" + +REM Layer 1: CLI flag (overrides everything). +if "!VERIFY_ATTESTATION_FLAG!"=="1" set "VERIFY_ATTESTATION=1" +if "!VERIFY_ATTESTATION_FLAG!"=="0" set "VERIFY_ATTESTATION=0" + +if "!VERIFY_ATTESTATION!"=="1" ( + where gh >nul 2>&1 + if !ERRORLEVEL! equ 0 ( + gh attestation verify "!TEMP_FILE!" --repo !REPO! >nul 2>&1 + if !ERRORLEVEL! neq 0 ( + echo Attestation verification failed! >&2 + echo The binary's SHA256 matched, but no valid signed provenance was found >&2 + echo for !REPO!. Refusing to install. >&2 + del "!TEMP_FILE!" + exit /b 1 + ) + echo [OK] verified build provenance ^(SLSA^) + ) else ( + echo verifyAttestation is enabled but gh CLI was not found. >&2 + echo Install https://cli.github.com ^(and run 'gh auth login'^), >&2 + echo or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation >&2 + echo from %USERPROFILE%\.plannotator\config.json / pass --skip-attestation. >&2 + del "!TEMP_FILE!" + exit /b 1 + ) +) else ( + echo SHA256 verified. For build provenance verification, see + echo https://plannotator.ai/docs/getting-started/installation/#verifying-your-install +) + REM Install binary set "INSTALL_PATH=!INSTALL_DIR!\plannotator.exe" move /y "!TEMP_FILE!" "!INSTALL_PATH!" >nul @@ -305,7 +383,7 @@ echo } if !ERRORLEVEL! equ 0 ( set "GEMINI_SETTINGS_PATH=%USERPROFILE%\.gemini\settings.json" set "GEMINI_SETTINGS_FWD=!GEMINI_SETTINGS_PATH:\=/!" - node -e "const fs=require('fs');const s=JSON.parse(fs.readFileSync('!GEMINI_SETTINGS_FWD!','utf8'));if(!s.hooks)s.hooks={};if(!s.hooks.BeforeTool)s.hooks.BeforeTool=[];s.hooks.BeforeTool.push({matcher:'exit_plan_mode',hooks:[{type:'command',command:'plannotator',timeout:345600}]});fs.writeFileSync('!GEMINI_SETTINGS_FWD!',JSON.stringify(s,null,2)+'\n');" + node -e "const fs=require('fs');const s=JSON.parse(fs.readFileSync('!GEMINI_SETTINGS_FWD!','utf8'));s.hooks=s.hooks||{};s.hooks.BeforeTool=s.hooks.BeforeTool||[];s.hooks.BeforeTool.push({matcher:'exit_plan_mode',hooks:[{type:'command',command:'plannotator',timeout:345600}]});fs.writeFileSync('!GEMINI_SETTINGS_FWD!',JSON.stringify(s,null,2)+'\n');" echo Added plannotator hook to !GEMINI_SETTINGS_PATH! ) else ( echo. diff --git a/scripts/install.ps1 b/scripts/install.ps1 index c79e7480..96c8c4b0 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -1,4 +1,10 @@ # Plannotator Windows Installer +param( + [string]$Version = "latest", + [switch]$VerifyAttestation, + [switch]$SkipAttestation +) + $ErrorActionPreference = "Stop" $repo = "backnotprop/plannotator" @@ -28,13 +34,22 @@ foreach ($oldPath in $oldLocations) { } } -Write-Host "Fetching latest version..." -$release = Invoke-RestMethod -Uri "https://api.github.com/repos/$repo/releases/latest" -$latestTag = $release.tag_name +if ($Version -eq "latest") { + Write-Host "Fetching latest version..." + $release = Invoke-RestMethod -Uri "https://api.github.com/repos/$repo/releases/latest" + $latestTag = $release.tag_name -if (-not $latestTag) { - Write-Error "Failed to fetch latest version" - exit 1 + if (-not $latestTag) { + Write-Error "Failed to fetch latest version" + exit 1 + } +} else { + # Normalize: auto-prefix v if missing (matches install.cmd behaviour) + if ($Version -like "v*") { + $latestTag = $Version + } else { + $latestTag = "v$Version" + } } Write-Host "Installing plannotator $latestTag..." @@ -68,6 +83,61 @@ if ($actualChecksum -ne $expectedChecksum) { exit 1 } +# Resolve SLSA build-provenance verification opt-in. +# Precedence: CLI flag > env var > ~/.plannotator/config.json > default (off). +$verifyAttestationResolved = $false + +# Layer 3: config file (lowest precedence of the opt-in sources). +$configPath = "$env:USERPROFILE\.plannotator\config.json" +if (Test-Path $configPath) { + try { + $cfg = Get-Content $configPath -Raw -ErrorAction Stop | ConvertFrom-Json -ErrorAction Stop + # Strict check: only a real JSON `true` (parsed as [bool]$true) opts in. + # A stringified "true", a number, etc. do not — matches install.sh, which + # greps for a literal boolean. + if ($cfg.verifyAttestation -is [bool] -and $cfg.verifyAttestation) { + $verifyAttestationResolved = $true + } + } catch { + # Malformed config — ignore, fall through to other layers. + } +} + +# Layer 2: env var (overrides config file). +$envVerify = $env:PLANNOTATOR_VERIFY_ATTESTATION +if ($envVerify) { + if ($envVerify -match '^(1|true|yes)$') { + $verifyAttestationResolved = $true + } elseif ($envVerify -match '^(0|false|no)$') { + $verifyAttestationResolved = $false + } +} + +# Layer 1: CLI flags win. -SkipAttestation beats -VerifyAttestation if both passed. +if ($VerifyAttestation) { $verifyAttestationResolved = $true } +if ($SkipAttestation) { $verifyAttestationResolved = $false } + +if ($verifyAttestationResolved) { + if (Get-Command gh -ErrorAction SilentlyContinue) { + $verifyOutput = & gh attestation verify $tmpFile --repo $repo 2>&1 + if ($LASTEXITCODE -eq 0) { + Write-Host "✓ verified build provenance (SLSA)" + } else { + Write-Host $verifyOutput + Remove-Item $tmpFile -Force + Write-Error "Attestation verification failed! The binary's SHA256 matched, but no valid signed provenance was found for $repo. Refusing to install." + exit 1 + } + } else { + Remove-Item $tmpFile -Force + Write-Error "verifyAttestation is enabled but gh CLI was not found. Install https://cli.github.com (and run 'gh auth login'), or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation from $configPath / pass -SkipAttestation." + exit 1 + } +} else { + Write-Host "SHA256 verified. For build provenance verification, see" + Write-Host "https://plannotator.ai/docs/getting-started/installation/#verifying-your-install" +} + Move-Item -Force $tmpFile "$installDir\plannotator.exe" Write-Host "" diff --git a/scripts/install.sh b/scripts/install.sh index 602db638..aed85e12 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -4,6 +4,80 @@ set -e REPO="backnotprop/plannotator" INSTALL_DIR="$HOME/.local/bin" +VERSION="latest" +# Three-layer opt-in for SLSA build-provenance verification. +# Precedence: CLI flag > env var > ~/.plannotator/config.json > default (off). +# -1 = flag not set yet (fall through to lower layers); 0 = disable; 1 = enable. +VERIFY_ATTESTATION_FLAG=-1 + +usage() { + cat <<'USAGE' +Usage: install.sh [--version ] [--verify-attestation | --skip-attestation] [--help] + install.sh + +Options: + --version Install a specific version (e.g. v0.17.1 or 0.17.1). + Defaults to the latest GitHub release. + --verify-attestation Require SLSA build-provenance verification via + `gh attestation verify`. Fails the install if gh is + not available or the check does not pass. + --skip-attestation Force-skip provenance verification even if enabled + via env var or ~/.plannotator/config.json. + -h, --help Show this help and exit. + +Provenance verification is off by default. Enable it by any of: + - passing --verify-attestation + - exporting PLANNOTATOR_VERIFY_ATTESTATION=1 + - setting { "verifyAttestation": true } in ~/.plannotator/config.json + +Examples: + curl -fsSL https://plannotator.ai/install.sh | bash + curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 + curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation + bash install.sh v0.17.1 +USAGE +} + +while [ $# -gt 0 ]; do + case "$1" in + --version) + if [ -z "${2:-}" ]; then + echo "--version requires an argument" >&2 + usage >&2 + exit 1 + fi + VERSION="$2" + shift 2 + ;; + --version=*) + VERSION="${1#--version=}" + shift + ;; + --verify-attestation) + VERIFY_ATTESTATION_FLAG=1 + shift + ;; + --skip-attestation) + VERIFY_ATTESTATION_FLAG=0 + shift + ;; + -h|--help) + usage + exit 0 + ;; + -*) + echo "Unknown option: $1" >&2 + usage >&2 + exit 1 + ;; + *) + # Positional form: install.sh v0.17.1 (matches install.cmd interface) + VERSION="$1" + shift + ;; + esac +done + case "$(uname -s)" in Darwin) os="darwin" ;; Linux) os="linux" ;; @@ -27,12 +101,20 @@ if [ -n "$USERPROFILE" ]; then echo "Cleaned up old Windows install locations" fi -echo "Fetching latest version..." -latest_tag=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name"' | cut -d'"' -f4) +if [ "$VERSION" = "latest" ]; then + echo "Fetching latest version..." + latest_tag=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name"' | cut -d'"' -f4) -if [ -z "$latest_tag" ]; then - echo "Failed to fetch latest version" >&2 - exit 1 + if [ -z "$latest_tag" ]; then + echo "Failed to fetch latest version" >&2 + exit 1 + fi +else + # Normalize: auto-prefix v if missing (matches install.cmd behaviour) + case "$VERSION" in + v*) latest_tag="$VERSION" ;; + *) latest_tag="v$VERSION" ;; + esac fi echo "Installing plannotator ${latest_tag}..." @@ -59,6 +141,54 @@ if [ "$actual_checksum" != "$expected_checksum" ]; then exit 1 fi +# Resolve SLSA build-provenance verification opt-in. +# Precedence: CLI flag > env var > ~/.plannotator/config.json > default (off). +verify_attestation=0 + +# Layer 3: config file (lowest precedence of the opt-in sources). +# Crude grep against a flat boolean — PlannotatorConfig has no nested +# verifyAttestation, so false positives are not a concern. +if [ -f "$HOME/.plannotator/config.json" ]; then + if grep -q '"verifyAttestation"[[:space:]]*:[[:space:]]*true' "$HOME/.plannotator/config.json" 2>/dev/null; then + verify_attestation=1 + fi +fi + +# Layer 2: env var (overrides config file). +case "${PLANNOTATOR_VERIFY_ATTESTATION:-}" in + 1|true|yes|TRUE|YES|True|Yes) verify_attestation=1 ;; + 0|false|no|FALSE|NO|False|No) verify_attestation=0 ;; +esac + +# Layer 1: CLI flag (overrides everything). +if [ "$VERIFY_ATTESTATION_FLAG" -ne -1 ]; then + verify_attestation="$VERIFY_ATTESTATION_FLAG" +fi + +if [ "$verify_attestation" -eq 1 ]; then + if command -v gh >/dev/null 2>&1; then + if gh attestation verify "$tmp_file" --repo "$REPO" >/dev/null 2>&1; then + echo "✓ verified build provenance (SLSA)" + else + echo "Attestation verification failed!" >&2 + echo "The binary's SHA256 matched, but no valid signed provenance was found" >&2 + echo "for ${REPO}. Refusing to install." >&2 + rm -f "$tmp_file" + exit 1 + fi + else + echo "verifyAttestation is enabled but gh CLI was not found." >&2 + echo "Install https://cli.github.com (and run 'gh auth login')," >&2 + echo "or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation from" >&2 + echo "~/.plannotator/config.json / pass --skip-attestation." >&2 + rm -f "$tmp_file" + exit 1 + fi +else + echo "SHA256 verified. For build provenance verification, see" + echo "https://plannotator.ai/docs/getting-started/installation/#verifying-your-install" +fi + # Remove old binary first (handles Windows .exe and locked file issues) rm -f "$INSTALL_DIR/plannotator" "$INSTALL_DIR/plannotator.exe" 2>/dev/null || true diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 5f08e7af..731c9f44 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -166,4 +166,93 @@ describe("install.cmd", () => { expect(script).toContain("plannotator-annotate.md"); expect(script).toContain("plannotator-last.md"); }); + + test("Gemini settings merge uses || idiom (issue #506 regression)", () => { + // cmd's delayed expansion parser eats `!` operators in `node -e "..."` + // blocks, turning `if(!s.hooks)` into a broken variable expansion and + // crashing node. The merge script must use `x = x || {}` instead, which + // contains no `!` chars. See backnotprop/plannotator#506. + expect(script).toContain("s.hooks=s.hooks||{}"); + expect(script).toContain("s.hooks.BeforeTool=s.hooks.BeforeTool||[]"); + expect(script).not.toContain("if(!s.hooks)"); + expect(script).not.toContain("if(!s.hooks.BeforeTool)"); + }); + + test("attestation verification is off by default with three-layer opt-in", () => { + // Layer 3: config file read (verifyAttestation appears inside a + // findstr pattern with escaped quotes; assert the key + findstr + // separately rather than the quoted form) + expect(script).toContain("%USERPROFILE%\\.plannotator\\config.json"); + expect(script).toContain("verifyAttestation"); + expect(script).toContain("findstr"); + // Layer 2: env var + expect(script).toContain("PLANNOTATOR_VERIFY_ATTESTATION"); + // Layer 1: CLI flags + expect(script).toContain("--verify-attestation"); + expect(script).toContain("--skip-attestation"); + // Enforcement: hard-fail when opted in but gh missing + expect(script).toContain("gh CLI was not found"); + }); +}); + +describe("install shared behavior", () => { + const sh = readFileSync(join(scriptsDir, "install.sh"), "utf-8"); + const ps = readFileSync(join(scriptsDir, "install.ps1"), "utf-8"); + + test("install.sh has three-layer opt-in resolution", () => { + // Layer 3: config file via grep against the flat JSON boolean + expect(sh).toContain("$HOME/.plannotator/config.json"); + expect(sh).toContain('"verifyAttestation"'); + // Layer 2: env var parsing + expect(sh).toContain("PLANNOTATOR_VERIFY_ATTESTATION"); + // Layer 1: CLI flags with sentinel + expect(sh).toContain("--verify-attestation"); + expect(sh).toContain("--skip-attestation"); + expect(sh).toContain("VERIFY_ATTESTATION_FLAG"); + // Enforcement + expect(sh).toContain("gh CLI was not found"); + }); + + test("install.ps1 has three-layer opt-in resolution", () => { + // Layer 3: config file via ConvertFrom-Json + expect(ps).toContain("$env:USERPROFILE\\.plannotator\\config.json"); + expect(ps).toContain("ConvertFrom-Json"); + expect(ps).toContain("$cfg.verifyAttestation"); + // Layer 2: env var + expect(ps).toContain("PLANNOTATOR_VERIFY_ATTESTATION"); + // Layer 1: CLI flags + expect(ps).toContain("[switch]$VerifyAttestation"); + expect(ps).toContain("[switch]$SkipAttestation"); + // Enforcement + expect(ps).toContain("gh CLI was not found"); + }); + + test("install.sh gates gh verification behind verify_attestation guard", () => { + // When the opt-in is off, the installer must print the SHA256-only info + // line and must not invoke gh. + expect(sh).toContain('if [ "$verify_attestation" -eq 1 ]; then'); + expect(sh).toContain("SHA256 verified"); + // The executable `gh attestation verify "$tmp_file"` call (not the + // mention in the --help usage block) must live inside the guarded branch. + const guardIdx = sh.indexOf('if [ "$verify_attestation" -eq 1 ]'); + const execIdx = sh.indexOf('gh attestation verify "$tmp_file"'); + expect(guardIdx).toBeGreaterThan(-1); + expect(execIdx).toBeGreaterThan(guardIdx); + }); +}); + +describe("PlannotatorConfig schema", () => { + test("exports verifyAttestation field", () => { + const configTs = readFileSync( + join(scriptsDir, "..", "packages", "shared", "config.ts"), + "utf-8", + ); + expect(configTs).toContain("verifyAttestation?: boolean"); + // Confirm it's part of the PlannotatorConfig interface, not unrelated code. + const match = configTs.match( + /export interface PlannotatorConfig \{([\s\S]*?)\n\}/ + ); + expect(match).toBeTruthy(); + expect(match![1]).toContain("verifyAttestation?: boolean"); + }); }); From 76f1cfb97c5d60d4002fcbbc53a55c6cec60b731 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 11:14:52 -0700 Subject: [PATCH 02/24] fix(install): address PR #512 review feedback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - docs: drop broken `cosign verify-blob` example. Verified against Sigstore's docs that `cosign verify-blob` requires `--bundle` (or `--signature` + `--certificate`); the shipped command provided neither and could not have worked. Replaced with the canonical `gh attestation verify --repo` flow (gh + auth required, but optional — only needed if a user wants to manually audit provenance) and a link to GitHub's offline-verification docs for advanced workflows. Applied to README.md, apps/hook/README.md, and the marketing install page. - docs: list per-platform binary paths in the manual verification examples. The previous snippets hardcoded `~/.local/bin/plannotator` even though install.ps1 writes to `%LOCALAPPDATA%\plannotator\` and install.cmd writes to `%USERPROFILE%\.local\bin\` — Windows users copying the snippet got file-not-found instead of a verification result. - install.sh: capture and surface `gh attestation verify` stderr on failure instead of redirecting to /dev/null. Diagnosability matches install.ps1, which already prints `$verifyOutput` on failure. The most common failure mode (`gh auth login` not run) is now immediately actionable instead of presenting as a generic "verification failed" error. - install.cmd: reject any unknown dash-prefixed token before the positional fall-through. A typoed `--verify-attesttion` no longer becomes `VERSION=--verify-attesttion` and 404s on a nonsensical download URL — it fails fast with `Unknown option:` and a usage hint. install.sh and install.ps1 already had equivalent guards (case `-*)` arm and PowerShell's strict param block respectively). All 29 install tests still pass. For provenance purposes, this commit was AI assisted. --- README.md | 18 +++++++++++------- apps/hook/README.md | 18 +++++++++++------- .../docs/getting-started/installation.md | 19 ++++++++++--------- scripts/install.cmd | 9 +++++++++ scripts/install.sh | 6 +++++- 5 files changed, 46 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index e93f8376..fa9a7a01 100644 --- a/README.md +++ b/README.md @@ -85,19 +85,23 @@ irm https://plannotator.ai/install.ps1 | iex ### Verifying your install -Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. To verify provenance manually: +Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. The SHA256 check is mandatory; provenance verification is optional and only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it. + +If you want to verify provenance manually, install [GitHub CLI](https://cli.github.com) and run: ```bash -# Online (requires `gh auth login`) +# macOS / Linux gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator -# Offline (no GitHub login required) -cosign verify-blob \ - --certificate-identity-regexp 'https://github.com/backnotprop/plannotator/.github/workflows/release.yml@.*' \ - --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ - ~/.local/bin/plannotator +# Windows (PowerShell installer) +gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" --repo backnotprop/plannotator + +# Windows (cmd installer) +gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" --repo backnotprop/plannotator ``` +This requires `gh auth login`. For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline). + To make the installer run provenance verification automatically on every upgrade (opt-in): ```bash diff --git a/apps/hook/README.md b/apps/hook/README.md index 71318f6d..6062af5c 100644 --- a/apps/hook/README.md +++ b/apps/hook/README.md @@ -34,19 +34,23 @@ curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --ve ### Verifying your install -Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. Manual verification: +Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. The SHA256 check is mandatory and runs on every install — provenance verification is optional and only needed if you want a cryptographic link from the binary back to the source commit and workflow run. + +To verify provenance manually, install [GitHub CLI](https://cli.github.com), run `gh auth login`, then: ```bash -# Online (requires `gh auth login`) +# macOS / Linux gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator -# Offline (no GitHub login required) -cosign verify-blob \ - --certificate-identity-regexp 'https://github.com/backnotprop/plannotator/.github/workflows/release.yml@.*' \ - --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ - ~/.local/bin/plannotator +# Windows (PowerShell installer) +gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" --repo backnotprop/plannotator + +# Windows (cmd installer) +gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" --repo backnotprop/plannotator ``` +For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline). + Provenance verification is **off by default** in the installer. Enable auto-verification on every upgrade by passing `--verify-attestation` (bash/cmd) or `-VerifyAttestation` (PowerShell), exporting `PLANNOTATOR_VERIFY_ATTESTATION=1`, or setting `{ "verifyAttestation": true }` in `~/.plannotator/config.json`. When enabled, the installer requires `gh` installed and authenticated — see [the full docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). --- diff --git a/apps/marketing/src/content/docs/getting-started/installation.md b/apps/marketing/src/content/docs/getting-started/installation.md index 046b0d27..ba46b9fb 100644 --- a/apps/marketing/src/content/docs/getting-started/installation.md +++ b/apps/marketing/src/content/docs/getting-started/installation.md @@ -45,24 +45,25 @@ The install script respects `CLAUDE_CONFIG_DIR` if set, placing hooks in your cu ### Verifying your install -Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore and recorded in the public transparency log. The attestation cryptographically ties the binary to the exact commit and GitHub Actions workflow that built it. +Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore and recorded in the public transparency log. The SHA256 check is mandatory and always runs. Provenance verification is **optional** — it's only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it. **Manual verification (recommended for one-off audits):** +This requires the [GitHub CLI](https://cli.github.com) to be installed and authenticated (`gh auth login`): + ```bash -# Uses GitHub's attestation API — requires `gh auth login` +# macOS / Linux gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator -``` -Or verify offline with cosign (no GitHub login required): +# Windows (PowerShell installer) +gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" --repo backnotprop/plannotator -```bash -cosign verify-blob \ - --certificate-identity-regexp 'https://github.com/backnotprop/plannotator/.github/workflows/release.yml@.*' \ - --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ - ~/.local/bin/plannotator +# Windows (cmd installer) +gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" --repo backnotprop/plannotator ``` +For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline) (uses `gh attestation download` to fetch the bundle once, then verifies offline against it). + **Automatic verification during install/upgrade (opt-in):** Provenance verification is **off by default** in the installer — the same default every major `curl | bash` installer uses (rustup, brew, bun, deno, helm). SHA256 verification always runs. To have the installer additionally run `gh attestation verify` on every upgrade, enable it via any of the three mechanisms below. Precedence is CLI flag > env var > config file > default. diff --git a/scripts/install.cmd b/scripts/install.cmd index 51d36564..86c2521e 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -32,6 +32,15 @@ if /i "%~1"=="--skip-attestation" ( shift goto parse_args ) +REM Reject any other dash-prefixed token as an unknown option, so a typoed +REM flag like --verify-attesttion fails fast instead of being interpreted as +REM a version tag (which would 404 on releases/download/v--verify-attesttion/...). +echo %~1 | findstr /b "[-]" >nul +if !ERRORLEVEL! equ 0 ( + echo Unknown option: %~1 >&2 + echo Usage: install.cmd [--version ^] [--verify-attestation ^| --skip-attestation] >&2 + exit /b 1 +) REM Positional form: install.cmd v0.17.1 (legacy interface) set "VERSION=%~1" shift diff --git a/scripts/install.sh b/scripts/install.sh index aed85e12..687e2b93 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -167,9 +167,13 @@ fi if [ "$verify_attestation" -eq 1 ]; then if command -v gh >/dev/null 2>&1; then - if gh attestation verify "$tmp_file" --repo "$REPO" >/dev/null 2>&1; then + # Capture combined output so we can surface gh's actual error message + # (auth, network, missing attestation, etc.) on failure instead of a + # generic "verification failed" with no diagnostic detail. + if gh_output=$(gh attestation verify "$tmp_file" --repo "$REPO" 2>&1); then echo "✓ verified build provenance (SLSA)" else + echo "$gh_output" >&2 echo "Attestation verification failed!" >&2 echo "The binary's SHA256 matched, but no valid signed provenance was found" >&2 echo "for ${REPO}. Refusing to install." >&2 From c59c1a5c8c10b19f190db5414ef465198ea271ea Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 12:14:27 -0700 Subject: [PATCH 03/24] test(ci): add Windows integration job for install.cmd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address the reviewer gap flagged in PR #512: the unit tests in scripts/install.test.ts only do file-content string matching on Linux and never execute cmd.exe, so the #506 fix (rewriting the embedded `node -e` Gemini merge to use `x = x || {}` instead of `if(!x)x=...`) was shipped without any runtime coverage. The previous CI only had ubuntu-latest runners. New `install-cmd-windows` job on `windows-latest`: 1. Seeds a fake `~/.gemini/settings.json` with a pre-existing non- plannotator hook plus unrelated top-level keys (theme, general). The fixture mirrors the shape of a real Gemini settings.json but uses only obviously-fake values and contains no secrets. 2. Runs `scripts\install.cmd v0.17.1 --skip-attestation` end-to-end through real cmd.exe. This exercises the parser under `enabledelayedexpansion`, the embedded `node -e` merge script, and the full install flow. 3. Parses the post-install settings.json with PowerShell and asserts: - The plannotator hook was added to hooks.BeforeTool. - The pre-existing fixture hook is still present (regression guard for the original #506 bug, where cmd ate the `!` in `if(!s.hooks.BeforeTool)s.hooks.BeforeTool=[]` and wiped existing arrays). - Unrelated top-level keys (`theme`, `general.ciFixtureSentinel`) survived the merge untouched. 4. Separately exercises the new unknown-flag rejection added in the previous commit: invokes `install.cmd --verify-attesttion` (typo) via Start-Process and asserts exit code != 0. Before the review fix this would have silently set `VERSION=--verify-attesttion` and 404'd on the download. The job runs in parallel with the existing ubuntu `test` job (no deps, independent runner). Uses the v0.17.1 release as the binary source — that release is pre-PR, so the test is stable against release drift and is testing install.cmd's CODE, not any specific binary. This closes the CI gap where install.cmd had effectively zero runtime coverage and the original #506 bug could have recurred without anyone noticing until a user reported it. For provenance purposes, this commit was AI assisted. --- .github/workflows/test.yml | 110 +++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e27092a3..ebcdb180 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,3 +30,113 @@ jobs: - name: Run tests run: bun test + + install-cmd-windows: + # End-to-end integration test for scripts/install.cmd on real cmd.exe. + # The unit tests in scripts/install.test.ts are file-content string checks + # that run on Linux and never exercise cmd's delayed-expansion parser or + # the embedded `node -e` Gemini merge — exactly where issue #506 lived. + # This job runs install.cmd end-to-end on Windows with a seeded ~/.gemini + # settings.json fixture so the Gemini merge path actually executes and + # any regression of #506 (or similar cmd-parser bugs) fails CI. + name: install.cmd (Windows integration) + runs-on: windows-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Seed fake ~/.gemini/settings.json with pre-existing hook + shell: pwsh + run: | + New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.gemini" | Out-Null + # Fixture mirrors the shape of a real Gemini settings.json (top-level + # `hooks.BeforeTool` array plus unrelated sibling keys) but uses only + # obviously-fake values. Must NOT contain the literal string + # "plannotator" anywhere — install.cmd's Gemini block is gated on + # `findstr /c:"plannotator"` returning non-zero and would otherwise + # skip the merge entirely. + $fixture = @' + { + "theme": "ci-fixture-theme", + "hooks": { + "BeforeTool": [ + { + "matcher": "ci-fixture-existing-matcher", + "hooks": [ + { + "type": "command", + "command": "ci-fixture-existing-command", + "timeout": 1000 + } + ] + } + ] + }, + "general": { + "ciFixtureSentinel": true + } + } + '@ + Set-Content -Path "$env:USERPROFILE\.gemini\settings.json" -Value $fixture -NoNewline + + - name: Run install.cmd end-to-end + shell: cmd + run: scripts\install.cmd v0.17.1 --skip-attestation + + - name: Verify Gemini settings.json was merged correctly + shell: pwsh + run: | + $path = "$env:USERPROFILE\.gemini\settings.json" + if (-not (Test-Path $path)) { throw "settings.json missing after install" } + + # Must still parse as JSON after the merge (regression for #506, + # where cmd's delayed expansion corrupted the embedded node script + # and left settings.json in a broken state). + $s = Get-Content $path -Raw | ConvertFrom-Json + + # The plannotator hook must have been added. + $plannotatorEntries = $s.hooks.BeforeTool | Where-Object { + $_.matcher -eq 'exit_plan_mode' + } + if (-not $plannotatorEntries) { + throw "plannotator hook was not added to BeforeTool" + } + $planCmd = $plannotatorEntries[0].hooks | Where-Object { + $_.command -eq 'plannotator' + } + if (-not $planCmd) { + throw "plannotator command entry missing inside the new hook" + } + + # The pre-existing (fixture) hook must have survived the merge. + # The original buggy JS was `if(!s.hooks.BeforeTool)s.hooks.BeforeTool=[]` + # which — after cmd ate the `!` — wiped existing arrays. The fix + # (`s.hooks.BeforeTool = s.hooks.BeforeTool || []`) must preserve them. + $fixtureHook = $s.hooks.BeforeTool | Where-Object { + $_.matcher -eq 'ci-fixture-existing-matcher' + } + if (-not $fixtureHook) { + throw "pre-existing hook was wiped — merge clobbered existing data" + } + + # Unrelated top-level keys must survive the merge. + if ($s.theme -ne 'ci-fixture-theme') { + throw "unrelated top-level field 'theme' was mangled" + } + if ($s.general.ciFixtureSentinel -ne $true) { + throw "unrelated top-level field 'general' was mangled" + } + + Write-Host "✓ Gemini settings.json merge verified (issue #506 regression guard)" + + - name: Unknown flag is rejected with non-zero exit + shell: pwsh + run: | + # Regression guard for the review finding that install.cmd silently + # reinterpreted typoed flags as version strings. A leading-dash token + # that doesn't match a known flag must now produce a non-zero exit. + $p = Start-Process -Wait -PassThru -NoNewWindow cmd ` + -ArgumentList '/c','scripts\install.cmd --verify-attesttion' + if ($p.ExitCode -eq 0) { + throw "install.cmd should have rejected --verify-attesttion but exited 0" + } + Write-Host "✓ Unknown flag rejected with exit code $($p.ExitCode)" From 7e5d509ae970534db9cd77906e57ae3971d960b5 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 12:24:16 -0700 Subject: [PATCH 04/24] fix(install.cmd): capture gh stderr on failure (consistency with install.sh) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-review catch: the PR #512 reviewer flagged install.sh for redirecting `gh attestation verify` output to /dev/null, which swallowed actionable error messages (auth missing, network issue, attestation not yet propagated) behind a generic "verification failed" line. I fixed install.sh in the previous review-fix commit but missed that install.cmd had the exact same pattern: gh attestation verify "!TEMP_FILE!" --repo !REPO! >/dev/null 2>&1 Same bug, same consequence, same fix. cmd doesn't have bash's `$(cmd)` or PowerShell's `& cmd 2>&1` output capture, so we redirect to a temp file and `type` it on failure, then clean up in both branches: gh attestation verify ... > "%TEMP%\gh-output.txt" 2>&1 if !ERRORLEVEL! neq 0 ( type "%TEMP%\gh-output.txt" >&2 del "%TEMP%\gh-output.txt" echo Attestation verification failed! >&2 ... ) del "%TEMP%\gh-output.txt" All three installers now surface gh's actual error message on failure, which makes the most common failure mode (`gh auth login` not run) immediately diagnosable on every platform. Note: this code path is not exercised by the new Windows CI integration job because that job passes `--skip-attestation`, and exercising the gh verify path would require an attestation for v0.17.1 to exist — which it doesn't, since v0.17.1 was released before this PR added the attestation step. The fix will first become CI-testable against the first post-merge release that carries a provenance bundle. For provenance purposes, this commit was AI assisted. --- scripts/install.cmd | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/scripts/install.cmd b/scripts/install.cmd index 86c2521e..4c5bdcf1 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -170,14 +170,21 @@ if "!VERIFY_ATTESTATION_FLAG!"=="0" set "VERIFY_ATTESTATION=0" if "!VERIFY_ATTESTATION!"=="1" ( where gh >nul 2>&1 if !ERRORLEVEL! equ 0 ( - gh attestation verify "!TEMP_FILE!" --repo !REPO! >nul 2>&1 + REM Capture combined output to a temp file so gh's actual error + REM message (auth, network, missing attestation, etc.) can be + REM surfaced on failure instead of a generic "verification failed" + REM with no diagnostic detail. Matches install.sh / install.ps1. + gh attestation verify "!TEMP_FILE!" --repo !REPO! > "%TEMP%\gh-output.txt" 2>&1 if !ERRORLEVEL! neq 0 ( + type "%TEMP%\gh-output.txt" >&2 + del "%TEMP%\gh-output.txt" echo Attestation verification failed! >&2 echo The binary's SHA256 matched, but no valid signed provenance was found >&2 echo for !REPO!. Refusing to install. >&2 del "!TEMP_FILE!" exit /b 1 ) + del "%TEMP%\gh-output.txt" echo [OK] verified build provenance ^(SLSA^) ) else ( echo verifyAttestation is enabled but gh CLI was not found. >&2 From 6354d453c655a39d0c0985ddf2a53e4e6b69a25b Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 12:55:56 -0700 Subject: [PATCH 05/24] fix(install): address second review pass on PR #512 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Five findings, all verified against the actual code: - **AGENTS.md env var table** (reviewer: "CLAUDE.md"; it's a symlink to AGENTS.md) was missing PLANNOTATOR_VERIFY_ATTESTATION. Added with an explicit note that it's read by the install scripts only, not the runtime binary — since every other entry in that table is a runtime env var, the distinction matters. - **install.cmd unknown-flag guard metacharacter injection.** The previous guard ran `echo %~1 | findstr /b "[-]"`, where %~1 is unquoted before the pipe. A user passing `install.cmd "--bad&calc"` would have cmd expand %~1 to `--bad&calc`, see the `&` as a command separator, and execute `calc` as a side effect before the flag check. Not a remote exploit (user already has shell exec), but a defensive coding weakness in supply-chain hardening code. Replaced with a variable-assigned substring test using delayed expansion — `set "CURRENT_ARG=%~1"` preserves metacharacters literally inside the `"..."` set syntax, and `!CURRENT_ARG:~0,1!` extracts the first char without any subprocess. This also fixes the same bug in the error-message echo, which previously echoed the unquoted `%~1` and re-triggered metacharacter interpretation in the error path itself. The echo now uses `"%~1"`. Note: the reviewer's proposed one-liner `if "%~1:~0,1%"=="-"` was syntactically invalid — cmd's `:~start,length` substring modifier does not work on positional parameters, only on regular variables. A variable assignment is necessary. - **install.cmd unquoted --repo argument** in the `gh attestation verify` call. TEMP_FILE was quoted but REPO was not. REPO is hardcoded to `backnotprop/plannotator` so not exploitable, but inconsistent with install.sh (which quotes `"$REPO"`). One-char fix: `--repo "!REPO!"`. - **test.yml intentional-typo drift hazard.** The unknown-flag regression test invokes `install.cmd --verify-attesttion` (missing an `a`). The only assertion was `$p.ExitCode -eq 0`. If a future typo-sweep "fixes" the misspelling to the valid `--verify-attestation`, install.cmd would accept the flag, proceed to download the latest release, run `gh attestation verify` against it, and — because v0.17.1 pre-dates the attestation step — fail with a different non-zero exit. Both paths exit 1, so the test would silently drift from "guard works" to "gh attestation verify fails on pre-PR release" without anyone noticing. Two-part fix: 1. Explicit comment marking the misspelling as intentional ("do not correct during a typo sweep"). 2. Redirect stderr to a temp file and assert it contains "Unknown option:" — the actual discriminator between the guard triggering and any other failure mode that happens to exit non-zero. - **README.md verification block was too long** for the main README. Trimmed from ~33 lines (intro + 3 code blocks + opt-in mechanisms + precedence notes) to a single sentence that links to the canonical marketing installation docs where the full content already lived. Same treatment applied to apps/hook/README.md for consistency. The marketing docs are unchanged and remain the single source of truth for verification workflows. All 29 install tests still pass. The Windows CI integration job's new stderr assertion will exercise the harder guard on the next push. For provenance purposes, this commit was AI assisted. --- .github/workflows/test.yml | 26 ++++++++++++++++++++++---- AGENTS.md | 1 + README.md | 34 +--------------------------------- apps/hook/README.md | 21 +-------------------- scripts/install.cmd | 16 ++++++++++++---- 5 files changed, 37 insertions(+), 61 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ebcdb180..835bca35 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -133,10 +133,28 @@ jobs: run: | # Regression guard for the review finding that install.cmd silently # reinterpreted typoed flags as version strings. A leading-dash token - # that doesn't match a known flag must now produce a non-zero exit. + # that doesn't match a known flag must now produce a non-zero exit + # AND emit "Unknown option:" on stderr — the latter is the real + # discriminator between the guard triggering and some other failure + # mode (network, gh auth, pre-PR release without an attestation) + # that also happens to exit non-zero. + # + # `--verify-attesttion` below is INTENTIONALLY MISSPELLED. Do not + # "correct" it during a typo sweep — the valid spelling is a real + # flag and would bypass this guard. The stderr assertion below + # would catch the drift, but the comment is the first line of + # defense for future maintainers. + $stderrFile = New-TemporaryFile $p = Start-Process -Wait -PassThru -NoNewWindow cmd ` - -ArgumentList '/c','scripts\install.cmd --verify-attesttion' + -ArgumentList '/c','scripts\install.cmd --verify-attesttion' ` + -RedirectStandardError $stderrFile.FullName + $stderr = Get-Content $stderrFile.FullName -Raw -ErrorAction SilentlyContinue + Remove-Item $stderrFile.FullName -ErrorAction SilentlyContinue + if ($p.ExitCode -eq 0) { - throw "install.cmd should have rejected --verify-attesttion but exited 0" + throw "install.cmd should have rejected --verify-attesttion but exited 0. stderr: $stderr" + } + if ($stderr -notmatch 'Unknown option:') { + throw "install.cmd exited $($p.ExitCode) but not via the unknown-flag guard. Expected 'Unknown option:' in stderr but got: $stderr" } - Write-Host "✓ Unknown flag rejected with exit code $($p.ExitCode)" + Write-Host "✓ Unknown flag rejected with exit code $($p.ExitCode) via the unknown-flag guard" diff --git a/AGENTS.md b/AGENTS.md index 3914db3c..71bae757 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -103,6 +103,7 @@ claude --plugin-dir ./apps/hook | `PLANNOTATOR_SHARE` | Set to `disabled` to turn off URL sharing entirely. Default: enabled. | | `PLANNOTATOR_SHARE_URL` | Custom base URL for share links (self-hosted portal). Default: `https://share.plannotator.ai`. | | `PLANNOTATOR_PASTE_URL` | Base URL of the paste service API for short URL sharing. Default: `https://plannotator-paste.plannotator.workers.dev`. | +| `PLANNOTATOR_VERIFY_ATTESTATION` | **Read by the install scripts only**, not by the runtime binary. Set to `1` / `true` to have `scripts/install.sh` / `install.ps1` / `install.cmd` run `gh attestation verify` on every install. Off by default. Can also be set persistently via `~/.plannotator/config.json` (`{ "verifyAttestation": true }`) or per-invocation via `--verify-attestation`. Requires `gh` installed and authenticated. | **Legacy:** `SSH_TTY` and `SSH_CONNECTION` are still detected when `PLANNOTATOR_REMOTE` is unset. Set `PLANNOTATOR_REMOTE=1` / `true` to force remote mode or `0` / `false` to force local mode. diff --git a/README.md b/README.md index fa9a7a01..d5fe6855 100644 --- a/README.md +++ b/README.md @@ -83,39 +83,7 @@ irm https://plannotator.ai/install.ps1 | iex & ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 ``` -### Verifying your install - -Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. The SHA256 check is mandatory; provenance verification is optional and only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it. - -If you want to verify provenance manually, install [GitHub CLI](https://cli.github.com) and run: - -```bash -# macOS / Linux -gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator - -# Windows (PowerShell installer) -gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" --repo backnotprop/plannotator - -# Windows (cmd installer) -gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" --repo backnotprop/plannotator -``` - -This requires `gh auth login`. For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline). - -To make the installer run provenance verification automatically on every upgrade (opt-in): - -```bash -# One-shot -curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation - -# Persistent via env var -export PLANNOTATOR_VERIFY_ATTESTATION=1 - -# Persistent via config file -echo '{ "verifyAttestation": true }' > ~/.plannotator/config.json -``` - -Precedence: CLI flag > env var > config file > default (off). When enabled, the installer requires `gh` installed and authenticated; otherwise it hard-fails. See [the full docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install) for details. +Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. For manual verification commands and opt-in auto-verification during upgrades, see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). **Then in Claude Code:** diff --git a/apps/hook/README.md b/apps/hook/README.md index 6062af5c..100850db 100644 --- a/apps/hook/README.md +++ b/apps/hook/README.md @@ -32,26 +32,7 @@ REM Pin to a specific reviewed version curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version v0.17.1 && del install.cmd ``` -### Verifying your install - -Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. The SHA256 check is mandatory and runs on every install — provenance verification is optional and only needed if you want a cryptographic link from the binary back to the source commit and workflow run. - -To verify provenance manually, install [GitHub CLI](https://cli.github.com), run `gh auth login`, then: - -```bash -# macOS / Linux -gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator - -# Windows (PowerShell installer) -gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" --repo backnotprop/plannotator - -# Windows (cmd installer) -gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" --repo backnotprop/plannotator -``` - -For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline). - -Provenance verification is **off by default** in the installer. Enable auto-verification on every upgrade by passing `--verify-attestation` (bash/cmd) or `-VerifyAttestation` (PowerShell), exporting `PLANNOTATOR_VERIFY_ATTESTATION=1`, or setting `{ "verifyAttestation": true }` in `~/.plannotator/config.json`. When enabled, the installer requires `gh` installed and authenticated — see [the full docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). +Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. For manual verification commands and the opt-in auto-verification flags, see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). --- diff --git a/scripts/install.cmd b/scripts/install.cmd index 4c5bdcf1..349a757f 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -35,9 +35,17 @@ if /i "%~1"=="--skip-attestation" ( REM Reject any other dash-prefixed token as an unknown option, so a typoed REM flag like --verify-attesttion fails fast instead of being interpreted as REM a version tag (which would 404 on releases/download/v--verify-attesttion/...). -echo %~1 | findstr /b "[-]" >nul -if !ERRORLEVEL! equ 0 ( - echo Unknown option: %~1 >&2 +REM +REM Uses a variable-assigned substring test instead of `echo %~1 | findstr` +REM because unquoted %~1 in an echo pipe lets cmd.exe interpret shell +REM metacharacters (& | > <) in the argument before the pipe runs. Assigning +REM to a `set "VAR=%~1"` literal-quoted form preserves metacharacters safely, +REM and delayed-expansion substring (!VAR:~0,1!) avoids the subprocess entirely. +REM The error-message echo also quotes "%~1" for the same reason — echoing an +REM unquoted arg containing `&` would re-trigger metacharacter interpretation. +set "CURRENT_ARG=%~1" +if "!CURRENT_ARG:~0,1!"=="-" ( + echo Unknown option: "%~1" >&2 echo Usage: install.cmd [--version ^] [--verify-attestation ^| --skip-attestation] >&2 exit /b 1 ) @@ -174,7 +182,7 @@ if "!VERIFY_ATTESTATION!"=="1" ( REM message (auth, network, missing attestation, etc.) can be REM surfaced on failure instead of a generic "verification failed" REM with no diagnostic detail. Matches install.sh / install.ps1. - gh attestation verify "!TEMP_FILE!" --repo !REPO! > "%TEMP%\gh-output.txt" 2>&1 + gh attestation verify "!TEMP_FILE!" --repo "!REPO!" > "%TEMP%\gh-output.txt" 2>&1 if !ERRORLEVEL! neq 0 ( type "%TEMP%\gh-output.txt" >&2 del "%TEMP%\gh-output.txt" From 097e917cd4295ee2b2332eca0c4a57fc7caa3d24 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 13:27:01 -0700 Subject: [PATCH 06/24] fix(install): tighten attestation verify with --source-ref and --signer-workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses PR #512 review cycle 3 finding that repo-scoped verification alone doesn't bind the downloaded binary to the specific tag the user requested. A misattached release asset would pass the old check because the wrong binary would still carry a valid attestation for its own (wrong) commit. GitHub's own docs explicitly recommend both constraints: "The more precisely you specify the identity, the more control you will have over the security guarantees. Ideally, the path of the signer workflow is also validated." — https://cli.github.com/manual/gh_attestation_verify All three installers now pass: --source-ref "refs/tags/" Enforces that the git ref the attestation was produced from matches the tag the installer asked for. Closes the misattached-asset gap. --signer-workflow backnotprop/plannotator/.github/workflows/release.yml Enforces that the attestation was signed by our release workflow file specifically, not any workflow in the repo. GitHub treats this flag as a regex (see cli/cli#9507) so future refactors can broaden the match without breaking version-pinned installs to historical releases. Also addresses the sibling finding that install.cmd used a fixed %TEMP%\gh-output.txt temp filename while the rest of the script uses %RANDOM% for uniqueness. Renamed to %TEMP%\plannotator-gh-%RANDOM%.txt, matching the established pattern and removing a theoretical race between concurrent invocations. New test in install.test.ts asserts all three installers pass --source-ref and --signer-workflow with the expected values. 30 tests pass. For provenance purposes, this commit was AI assisted. --- scripts/install.cmd | 27 +++++++++++++++++++-------- scripts/install.ps1 | 7 ++++++- scripts/install.sh | 10 +++++++++- scripts/install.test.ts | 24 ++++++++++++++++++++++++ 4 files changed, 58 insertions(+), 10 deletions(-) diff --git a/scripts/install.cmd b/scripts/install.cmd index 349a757f..4e461ec3 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -178,21 +178,32 @@ if "!VERIFY_ATTESTATION_FLAG!"=="0" set "VERIFY_ATTESTATION=0" if "!VERIFY_ATTESTATION!"=="1" ( where gh >nul 2>&1 if !ERRORLEVEL! equ 0 ( - REM Capture combined output to a temp file so gh's actual error - REM message (auth, network, missing attestation, etc.) can be - REM surfaced on failure instead of a generic "verification failed" - REM with no diagnostic detail. Matches install.sh / install.ps1. - gh attestation verify "!TEMP_FILE!" --repo "!REPO!" > "%TEMP%\gh-output.txt" 2>&1 + REM Capture combined output to a randomized temp file so gh's + REM actual error message (auth, network, missing attestation, etc.) + REM can be surfaced on failure. Randomized to match the existing + REM %RANDOM% pattern used elsewhere in this script and avoid races + REM between concurrent invocations. Matches install.sh / install.ps1. + REM + REM Verification is constrained to the exact tag (--source-ref) AND + REM the specific signing workflow file (--signer-workflow) — not + REM just "built somewhere in this repo". See install.sh for full + REM rationale. + set "GH_OUTPUT=%TEMP%\plannotator-gh-%RANDOM%.txt" + gh attestation verify "!TEMP_FILE!" ^ + --repo "!REPO!" ^ + --source-ref "refs/tags/!TAG!" ^ + --signer-workflow "backnotprop/plannotator/.github/workflows/release.yml" ^ + > "!GH_OUTPUT!" 2>&1 if !ERRORLEVEL! neq 0 ( - type "%TEMP%\gh-output.txt" >&2 - del "%TEMP%\gh-output.txt" + type "!GH_OUTPUT!" >&2 + del "!GH_OUTPUT!" echo Attestation verification failed! >&2 echo The binary's SHA256 matched, but no valid signed provenance was found >&2 echo for !REPO!. Refusing to install. >&2 del "!TEMP_FILE!" exit /b 1 ) - del "%TEMP%\gh-output.txt" + del "!GH_OUTPUT!" echo [OK] verified build provenance ^(SLSA^) ) else ( echo verifyAttestation is enabled but gh CLI was not found. >&2 diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 96c8c4b0..39b23388 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -119,7 +119,12 @@ if ($SkipAttestation) { $verifyAttestationResolved = $false } if ($verifyAttestationResolved) { if (Get-Command gh -ErrorAction SilentlyContinue) { - $verifyOutput = & gh attestation verify $tmpFile --repo $repo 2>&1 + # Constrain verification to the exact tag + signing workflow — see + # install.sh comment for rationale. + $verifyOutput = & gh attestation verify $tmpFile ` + --repo $repo ` + --source-ref "refs/tags/$latestTag" ` + --signer-workflow "backnotprop/plannotator/.github/workflows/release.yml" 2>&1 if ($LASTEXITCODE -eq 0) { Write-Host "✓ verified build provenance (SLSA)" } else { diff --git a/scripts/install.sh b/scripts/install.sh index 687e2b93..62864848 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -170,7 +170,15 @@ if [ "$verify_attestation" -eq 1 ]; then # Capture combined output so we can surface gh's actual error message # (auth, network, missing attestation, etc.) on failure instead of a # generic "verification failed" with no diagnostic detail. - if gh_output=$(gh attestation verify "$tmp_file" --repo "$REPO" 2>&1); then + # Constrain verification to the exact tag + signing workflow — not + # just "built by somewhere in this repo". --source-ref pins the + # git ref the attestation was produced from; --signer-workflow pins + # the workflow file that signed it. Together they prevent accepting + # a misattached asset or an attestation from an unrelated workflow. + if gh_output=$(gh attestation verify "$tmp_file" \ + --repo "$REPO" \ + --source-ref "refs/tags/${latest_tag}" \ + --signer-workflow "backnotprop/plannotator/.github/workflows/release.yml" 2>&1); then echo "✓ verified build provenance (SLSA)" else echo "$gh_output" >&2 diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 731c9f44..94545110 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -227,6 +227,30 @@ describe("install shared behavior", () => { expect(ps).toContain("gh CLI was not found"); }); + test("all installers constrain attestation verify to tag + signer workflow", () => { + // Every `gh attestation verify` call must pass --source-ref and + // --signer-workflow, not just --repo. Without --source-ref a + // misattached asset from a different release would pass; without + // --signer-workflow an attestation from an unrelated workflow in + // the same repo would pass. GitHub's own docs recommend both. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + + for (const [name, script] of [["install.sh", sh], ["install.ps1", ps], ["install.cmd", cmdScript]] as const) { + if (!script.includes("--source-ref")) { + throw new Error(`${name} missing --source-ref constraint on gh attestation verify`); + } + if (!script.includes("refs/tags/")) { + throw new Error(`${name} --source-ref does not reference refs/tags/`); + } + if (!script.includes("--signer-workflow")) { + throw new Error(`${name} missing --signer-workflow constraint on gh attestation verify`); + } + if (!script.includes(".github/workflows/release.yml")) { + throw new Error(`${name} --signer-workflow does not reference release.yml`); + } + } + }); + test("install.sh gates gh verification behind verify_attestation guard", () => { // When the opt-in is off, the installer must print the SHA256-only info // line and must not invoke gh. From 661ac2d3f8a043c72d96bf5b433679eef7bf0e5d Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 14:13:54 -0700 Subject: [PATCH 07/24] fix(install): address PR #512 review cycle 4 (parser edges, ps1 stream, docs) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Five findings, all verified against actual code. One bonus fix in install.sh for a sibling bug the reviewer flagged only in install.cmd. install.ps1: `Write-Host $verifyOutput` on attestation failure wrote gh's diagnostic to PowerShell's Information stream (stream 6), which is silently dropped when CI pipelines capture stderr. Replaced with `[Console]::Error.WriteLine($verifyOutput)` — direct stderr handle, matches the behavior of `echo ... >&2` in install.sh and `type ... >&2` in install.cmd. install.sh + install.cmd: `--version --some-other-flag` used to set VERSION to the flag name (e.g. VERSION=--verify-attestation), which then tried to download tag `v--verify-attestation` and 404'd. The empty-check on `$2`/`%~2` didn't catch dash-prefixed values. Added an explicit dash-prefix check that returns a clean "--version requires a tag value, got flag: X" error instead of degrading into a cryptic download failure. install.sh + install.cmd: mixing `--version v1.0.0 stray` used to silently overwrite VERSION with "stray" because the positional branch unconditionally assigned VERSION=$1. Added a VERSION_EXPLICIT sentinel that's set to 1 when --version is seen, and the positional branch now errors with "Unexpected positional argument: X (version already set)" when it sees a token while the sentinel is set. Same sentinel is also set by the positional branch itself, so passing two positional version tokens also errors out cleanly. Note: the reviewer flagged the positional-overwrite bug only in install.cmd, but install.sh had the identical issue (same unconditional `VERSION="$1"` in the `*)` arm) and the same dash- check gap in both its `--version ` and `--version=` branches. Fixing both installers symmetrically — inconsistency here would just trigger another review round. marketing/installation.md: the "Verifying your install" prose promised a "cryptographic link to the exact commit and workflow run," but the example commands only passed `--repo`, which just proves the artifact came from some workflow in our repository. The installer now constrains with `--source-ref` and `--signer-workflow` after review cycle 3, so the docs were out of sync with the actual installer behavior. Updated all three platform examples (bash, pwsh, cmd) to include the tighter flags with a placeholder (`vX.Y.Z`) and a sentence explaining what the extra flags actually buy the user. README.md and apps/hook/README.md are already link-only after cycle 2 and don't need changes. install.test.ts: two new tests. - Regression guard asserts install.sh and install.cmd contain the VERSION_EXPLICIT sentinel, the dash-prefix error message, and the "Unexpected positional argument" guard. Anyone removing any of these in a future cleanup would fail CI. - Regression guard asserts install.ps1 uses [Console]::Error.WriteLine and does NOT use Write-Host for verifyOutput. 32 tests pass (was 30). Smoke-tested install.sh with `--version --verify-attestation` and `--version v1.0.0 stray` — both now exit 1 with clean usage errors instead of silent download failures. For provenance purposes, this commit was AI assisted. --- .../docs/getting-started/installation.md | 17 +++++++-- scripts/install.cmd | 20 +++++++++- scripts/install.ps1 | 5 ++- scripts/install.sh | 38 ++++++++++++++++++- scripts/install.test.ts | 30 +++++++++++++++ 5 files changed, 102 insertions(+), 8 deletions(-) diff --git a/apps/marketing/src/content/docs/getting-started/installation.md b/apps/marketing/src/content/docs/getting-started/installation.md index ba46b9fb..e1929e99 100644 --- a/apps/marketing/src/content/docs/getting-started/installation.md +++ b/apps/marketing/src/content/docs/getting-started/installation.md @@ -49,17 +49,26 @@ Every released binary is accompanied by a SHA256 sidecar (verified automatically **Manual verification (recommended for one-off audits):** -This requires the [GitHub CLI](https://cli.github.com) to be installed and authenticated (`gh auth login`): +This requires the [GitHub CLI](https://cli.github.com) to be installed and authenticated (`gh auth login`). Replace `vX.Y.Z` with the tag of the version you installed — pinning the source ref and signer workflow is what gives you the "exact commit and workflow run" guarantee described above; `--repo` alone only proves the artifact was built by _some_ workflow in our repository. ```bash # macOS / Linux -gh attestation verify ~/.local/bin/plannotator --repo backnotprop/plannotator +gh attestation verify ~/.local/bin/plannotator \ + --repo backnotprop/plannotator \ + --source-ref refs/tags/vX.Y.Z \ + --signer-workflow backnotprop/plannotator/.github/workflows/release.yml # Windows (PowerShell installer) -gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" --repo backnotprop/plannotator +gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" ` + --repo backnotprop/plannotator ` + --source-ref refs/tags/vX.Y.Z ` + --signer-workflow backnotprop/plannotator/.github/workflows/release.yml # Windows (cmd installer) -gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" --repo backnotprop/plannotator +gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" ^ + --repo backnotprop/plannotator ^ + --source-ref refs/tags/vX.Y.Z ^ + --signer-workflow backnotprop/plannotator/.github/workflows/release.yml ``` For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline) (uses `gh attestation download` to fetch the bundle once, then verifies offline against it). diff --git a/scripts/install.cmd b/scripts/install.cmd index 4e461ec3..049f2e6a 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -5,6 +5,9 @@ REM Plannotator Windows CMD Bootstrap Script REM Parse command line arguments set "VERSION=latest" +REM Tracks whether a version was explicitly set via --version or positional. +REM Used to reject mixing --version with a stray positional token. +set "VERSION_EXPLICIT=0" REM Three-layer opt-in for SLSA provenance verification. REM Precedence: CLI flag > env var > %USERPROFILE%\.plannotator\config.json > default. REM -1 = flag not set (fall through); 0 = disable; 1 = enable. @@ -17,7 +20,15 @@ if /i "%~1"=="--version" ( echo --version requires an argument >&2 exit /b 1 ) + REM Reject dash-prefixed values — prevents `install.cmd --version + REM --skip-attestation` from silently setting VERSION=--skip-attestation. + set "NEXT_ARG=%~2" + if "!NEXT_ARG:~0,1!"=="-" ( + echo --version requires a tag value, got flag: "%~2" >&2 + exit /b 1 + ) set "VERSION=%~2" + set "VERSION_EXPLICIT=1" shift shift goto parse_args @@ -49,8 +60,15 @@ if "!CURRENT_ARG:~0,1!"=="-" ( echo Usage: install.cmd [--version ^] [--verify-attestation ^| --skip-attestation] >&2 exit /b 1 ) -REM Positional form: install.cmd v0.17.1 (legacy interface) +REM Positional form: install.cmd v0.17.1 (legacy interface). +REM Reject if --version was already passed — silent overwrite is worse +REM than a clean usage error. +if "!VERSION_EXPLICIT!"=="1" ( + echo Unexpected positional argument: "%~1" ^(version already set^) >&2 + exit /b 1 +) set "VERSION=%~1" +set "VERSION_EXPLICIT=1" shift goto parse_args :args_done diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 39b23388..c2b342bf 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -128,7 +128,10 @@ if ($verifyAttestationResolved) { if ($LASTEXITCODE -eq 0) { Write-Host "✓ verified build provenance (SLSA)" } else { - Write-Host $verifyOutput + # Write to stderr directly — Write-Host goes to PowerShell's + # Information stream, which is silently dropped when callers + # redirect stderr for error reporting in CI/CD pipelines. + [Console]::Error.WriteLine($verifyOutput) Remove-Item $tmpFile -Force Write-Error "Attestation verification failed! The binary's SHA256 matched, but no valid signed provenance was found for $repo. Refusing to install." exit 1 diff --git a/scripts/install.sh b/scripts/install.sh index 62864848..bcabc8a4 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -5,6 +5,10 @@ REPO="backnotprop/plannotator" INSTALL_DIR="$HOME/.local/bin" VERSION="latest" +# Tracks whether a version was explicitly set via --version or positional. +# Used to reject mixing --version with a stray positional token, +# which would otherwise silently overwrite the earlier value and 404. +VERSION_EXPLICIT=0 # Three-layer opt-in for SLSA build-provenance verification. # Precedence: CLI flag > env var > ~/.plannotator/config.json > default (off). # -1 = flag not set yet (fall through to lower layers); 0 = disable; 1 = enable. @@ -46,11 +50,33 @@ while [ $# -gt 0 ]; do usage >&2 exit 1 fi + case "$2" in + -*) + echo "--version requires a tag value, got flag: $2" >&2 + usage >&2 + exit 1 + ;; + esac VERSION="$2" + VERSION_EXPLICIT=1 shift 2 ;; --version=*) - VERSION="${1#--version=}" + value="${1#--version=}" + if [ -z "$value" ]; then + echo "--version requires an argument" >&2 + usage >&2 + exit 1 + fi + case "$value" in + -*) + echo "--version requires a tag value, got flag: $value" >&2 + usage >&2 + exit 1 + ;; + esac + VERSION="$value" + VERSION_EXPLICIT=1 shift ;; --verify-attestation) @@ -71,8 +97,16 @@ while [ $# -gt 0 ]; do exit 1 ;; *) - # Positional form: install.sh v0.17.1 (matches install.cmd interface) + # Positional form: install.sh v0.17.1 (matches install.cmd interface). + # Reject if --version was already passed — silent overwrite is worse + # than a clean usage error. + if [ "$VERSION_EXPLICIT" -eq 1 ]; then + echo "Unexpected positional argument: $1 (version already set)" >&2 + usage >&2 + exit 1 + fi VERSION="$1" + VERSION_EXPLICIT=1 shift ;; esac diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 94545110..13a56784 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -227,6 +227,36 @@ describe("install shared behavior", () => { expect(ps).toContain("gh CLI was not found"); }); + test("install.sh/cmd reject dash-prefixed --version values and positional overwrites", () => { + // Regression guard for PR #512 review cycle 4 findings: + // - `install.sh --version --verify-attestation` used to set VERSION + // to the flag name and then 404 on download + // - `install.sh --version v1.0.0 stray` used to silently overwrite + // VERSION with "stray" + // Same pair of bugs existed in install.cmd. Both scripts now track + // VERSION_EXPLICIT and dash-check the value after --version. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + + // install.sh + expect(sh).toContain("VERSION_EXPLICIT=0"); + expect(sh).toContain('echo "--version requires a tag value, got flag:'); + expect(sh).toContain('echo "Unexpected positional argument:'); + + // install.cmd + expect(cmdScript).toContain('set "VERSION_EXPLICIT=0"'); + expect(cmdScript).toContain("--version requires a tag value, got flag:"); + expect(cmdScript).toContain("Unexpected positional argument:"); + }); + + test("install.ps1 writes gh error output to stderr, not Write-Host", () => { + // Regression guard: Write-Host goes to PowerShell's Information stream + // and is silently dropped when CI pipelines capture stderr. Use the + // native stderr handle instead. See install.sh:177 and install.cmd for + // the equivalent stderr writes. + expect(ps).toContain("[Console]::Error.WriteLine($verifyOutput)"); + expect(ps).not.toContain("Write-Host $verifyOutput"); + }); + test("all installers constrain attestation verify to tag + signer workflow", () => { // Every `gh attestation verify` call must pass --source-ref and // --signer-workflow, not just --repo. Without --source-ref a From 1a9d64c2704a5b1f1d29ea0764cbe8ddbb704db3 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 14:43:44 -0700 Subject: [PATCH 08/24] fix(install): address PR #512 review cycle 5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Five code/doc fixes, all verified against actual code. Finding 1 from the review (opt-in verification unusable until a post-merge release is cut) is correct but not actionable — it's inherent to how SLSA attestations work and the only "fix" is timing + release cadence. install.ps1: `[Console]::Error.WriteLine($verifyOutput)` silently converted multi-line gh output to the literal string "System.Object[]" — the opposite of what cycle 4's Write-Host fix was supposed to do. `& gh ... 2>&1` captures multi-line output as an object[] array; passing the array directly to [Console]::Error.WriteLine binds to the WriteLine(object) overload and calls ToString() on the array. Fixed by piping through Out-String first (and TrimEnd to drop the trailing newline it adds). Confirmed against Sigstore/PowerShell docs and the Delft Stack array-to-string guide. install.cmd: replaced `echo !TAG! | findstr /b "v"` with a substring test `if not "!TAG:~0,1!"=="v"`. Same metacharacter-injection class as the parser bug fixed in cycle 2 — piping an unquoted expanded variable re-exposes cmd's & | > < operators in the value before the pipe runs. Inconsistent to leave this one instance using the unsafe pattern when every other comparable check in the script uses the substring idiom. install.cmd: randomized the two remaining deterministic temp file paths — %TEMP%\release.json and %TEMP%\plannotator-.exe — to match the %RANDOM% pattern already used by GH_OUTPUT. Closes two gaps at once: concurrent-invocation collisions (real for automated upgrade tooling) and same-user symlink pre-placement (the SHA256 check passes on authentic content, but a symlink at the predictable path would redirect where curl writes the binary before the install move runs). All three installers: reject --verify-attestation and --skip-attestation together as mutually exclusive instead of trying to guess which the user meant. Previously install.sh/cmd took last- on-command-line wins and install.ps1 took a fixed-priority Skip- always-wins (documented but inconsistent with the other two). No sane user passes both flags — fast-failing with a clear "mutually exclusive" error is better than silently picking one and hoping it matches intent. Guards live inline in both arms of the bash/cmd parsers and right after the PowerShell param block. test.yml: added a comment block on the install.cmd v0.17.1 pin explaining why that version was chosen, why `latest` isn't used, what the prerequisites are for bumping it, and what failure mode to expect if the pinned release is ever removed. No behavior change — the existing pin stays. Addresses the reviewer's concern that the dependency was undocumented. install.test.ts: four new regression guards. - Asserts install.ps1 uses Out-String (not bare [Console] call on raw $verifyOutput) for multi-line gh output - Asserts all three installers reject the --verify+--skip combo with a "mutually exclusive" error and install.ps1 has the `$VerifyAttestation -and $SkipAttestation` guard - Asserts install.cmd uses randomized temp paths for release.json and the binary download, and that the old deterministic paths are gone - Asserts install.cmd uses the substring test for v-prefix normalization and does not pipe echo|findstr for that check 35 install tests pass (was 32). Smoke-tested the bash mutex guard in both orders — both fail fast with "mutually exclusive" and exit 1 regardless of which flag appears first. For provenance purposes, this commit was AI assisted. --- .github/workflows/test.yml | 18 +++++++++++ scripts/install.cmd | 35 +++++++++++++++------ scripts/install.ps1 | 17 ++++++++++- scripts/install.sh | 10 ++++++ scripts/install.test.ts | 62 ++++++++++++++++++++++++++++++++++---- 5 files changed, 126 insertions(+), 16 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 835bca35..36feea5b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,6 +80,24 @@ jobs: - name: Run install.cmd end-to-end shell: cmd + # v0.17.1 is pinned intentionally. This test needs a real binary + # to download so it can exercise install.cmd end-to-end — SHA256 + # verification, skills sparse-checkout, and (critically) the + # embedded `node -e` Gemini merge path that was the site of + # issue #506. Using `latest` would couple the Windows regression + # test to whatever version is currently released, so a bad + # release would retroactively break CI on every branch. + # + # v0.17.1 was the current release when the test was added and is + # locked in place by GitHub Immutable Releases. If you ever need + # to bump it (e.g. this version becomes too old to represent the + # install flow we care about), verify the replacement has: + # - plannotator-win32-x64.exe attached + # - plannotator-win32-x64.exe.sha256 attached + # - the install.cmd and packages/shared/ layout your branch + # under test expects to find in apps/skills/ + # A missing or mismatched release asset surfaces as a curl 404 + # in this step with no obvious connection to the test's purpose. run: scripts\install.cmd v0.17.1 --skip-attestation - name: Verify Gemini settings.json was merged correctly diff --git a/scripts/install.cmd b/scripts/install.cmd index 049f2e6a..54d21c57 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -34,11 +34,19 @@ if /i "%~1"=="--version" ( goto parse_args ) if /i "%~1"=="--verify-attestation" ( + if "!VERIFY_ATTESTATION_FLAG!"=="0" ( + echo --verify-attestation and --skip-attestation are mutually exclusive >&2 + exit /b 1 + ) set "VERIFY_ATTESTATION_FLAG=1" shift goto parse_args ) if /i "%~1"=="--skip-attestation" ( + if "!VERIFY_ATTESTATION_FLAG!"=="1" ( + echo --skip-attestation and --verify-attestation are mutually exclusive >&2 + exit /b 1 + ) set "VERIFY_ATTESTATION_FLAG=0" shift goto parse_args @@ -102,20 +110,23 @@ REM Get version to install if /i "!VERSION!"=="latest" ( echo Fetching latest version... - REM Download release info and extract tag_name - curl -fsSL "https://api.github.com/repos/!REPO!/releases/latest" -o "%TEMP%\release.json" + REM Download release info to a randomized temp file so concurrent + REM invocations don't collide and a same-user pre-placed symlink at + REM a predictable path can't redirect curl's output. + set "RELEASE_JSON=%TEMP%\plannotator-release-%RANDOM%.json" + curl -fsSL "https://api.github.com/repos/!REPO!/releases/latest" -o "!RELEASE_JSON!" if !ERRORLEVEL! neq 0 ( echo Failed to get latest version >&2 exit /b 1 ) REM Extract tag_name from JSON - for /f "tokens=2 delims=:," %%i in ('findstr /c:"\"tag_name\"" "%TEMP%\release.json"') do ( + for /f "tokens=2 delims=:," %%i in ('findstr /c:"\"tag_name\"" "!RELEASE_JSON!"') do ( set "TAG=%%i" set "TAG=!TAG: =!" set "TAG=!TAG:"=!" ) - del "%TEMP%\release.json" + del "!RELEASE_JSON!" if "!TAG!"=="" ( echo Failed to parse version >&2 @@ -123,9 +134,11 @@ if /i "!VERSION!"=="latest" ( ) ) else ( set "TAG=!VERSION!" - REM Add v prefix if not present - echo !TAG! | findstr /b "v" >nul - if !ERRORLEVEL! neq 0 set "TAG=v!TAG!" + REM Add v prefix if not present. Use a substring test rather than + REM piping the expanded variable through findstr — an unquoted echo + REM pipe re-exposes cmd metacharacters (& | > <) in the value before + REM the pipe runs. Matches the safe pattern used in the arg parser. + if not "!TAG:~0,1!"=="v" set "TAG=v!TAG!" ) echo Installing plannotator !TAG!... @@ -134,8 +147,12 @@ set "BINARY_NAME=plannotator-!PLATFORM!.exe" set "BINARY_URL=https://github.com/!REPO!/releases/download/!TAG!/!BINARY_NAME!" set "CHECKSUM_URL=!BINARY_URL!.sha256" -REM Download binary -set "TEMP_FILE=%TEMP%\plannotator-!TAG!.exe" +REM Download binary to a randomized temp path so concurrent invocations +REM don't collide and a same-user pre-placed symlink at a predictable +REM path can't redirect where curl writes the downloaded executable. +REM The SHA256 check would pass regardless (content is authentic), but +REM the install destination would be corrupted. +set "TEMP_FILE=%TEMP%\plannotator-%RANDOM%.exe" curl -fsSL "!BINARY_URL!" -o "!TEMP_FILE!" if !ERRORLEVEL! neq 0 ( echo Failed to download binary >&2 diff --git a/scripts/install.ps1 b/scripts/install.ps1 index c2b342bf..36804ffb 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -7,6 +7,14 @@ param( $ErrorActionPreference = "Stop" +# Reject mutually-exclusive flag combinations upfront. Passing both is +# almost always a typo or wrapper-script misconfiguration; guessing which +# one the user meant is worse than failing fast. +if ($VerifyAttestation -and $SkipAttestation) { + [Console]::Error.WriteLine("-VerifyAttestation and -SkipAttestation are mutually exclusive. Pass one or the other.") + exit 1 +} + $repo = "backnotprop/plannotator" $installDir = "$env:LOCALAPPDATA\plannotator" @@ -131,7 +139,14 @@ if ($verifyAttestationResolved) { # Write to stderr directly — Write-Host goes to PowerShell's # Information stream, which is silently dropped when callers # redirect stderr for error reporting in CI/CD pipelines. - [Console]::Error.WriteLine($verifyOutput) + # + # `& gh ... 2>&1` captures multi-line output as an object[] + # array. Passing the array directly to [Console]::Error.WriteLine + # binds to the WriteLine(object) overload, which calls ToString() + # on the array and yields the useless literal "System.Object[]". + # Out-String normalizes the array back into a single formatted + # string so the actual gh diagnostic is visible. + [Console]::Error.WriteLine(($verifyOutput | Out-String).TrimEnd()) Remove-Item $tmpFile -Force Write-Error "Attestation verification failed! The binary's SHA256 matched, but no valid signed provenance was found for $repo. Refusing to install." exit 1 diff --git a/scripts/install.sh b/scripts/install.sh index bcabc8a4..ddc6557b 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -80,10 +80,20 @@ while [ $# -gt 0 ]; do shift ;; --verify-attestation) + if [ "$VERIFY_ATTESTATION_FLAG" = "0" ]; then + echo "--verify-attestation and --skip-attestation are mutually exclusive" >&2 + usage >&2 + exit 1 + fi VERIFY_ATTESTATION_FLAG=1 shift ;; --skip-attestation) + if [ "$VERIFY_ATTESTATION_FLAG" = "1" ]; then + echo "--skip-attestation and --verify-attestation are mutually exclusive" >&2 + usage >&2 + exit 1 + fi VERIFY_ATTESTATION_FLAG=0 shift ;; diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 13a56784..a78203e8 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -248,15 +248,65 @@ describe("install shared behavior", () => { expect(cmdScript).toContain("Unexpected positional argument:"); }); - test("install.ps1 writes gh error output to stderr, not Write-Host", () => { - // Regression guard: Write-Host goes to PowerShell's Information stream - // and is silently dropped when CI pipelines capture stderr. Use the - // native stderr handle instead. See install.sh:177 and install.cmd for - // the equivalent stderr writes. - expect(ps).toContain("[Console]::Error.WriteLine($verifyOutput)"); + test("install.ps1 writes gh error output to stderr via Out-String", () => { + // Regression guard 1: Write-Host goes to PowerShell's Information + // stream and is silently dropped when CI pipelines capture stderr. + // Use the native stderr handle instead. See install.sh:177 and + // install.cmd for the equivalent stderr writes. + // + // Regression guard 2: `& gh ... 2>&1` captures multi-line output as + // an object[] array. Passing the array directly to + // [Console]::Error.WriteLine binds to the WriteLine(object) overload, + // calls ToString() on the array, and yields the literal + // "System.Object[]" instead of the actual gh diagnostic — silently + // hiding exactly the error message this code path is supposed to + // surface. Must be normalized via Out-String first. + expect(ps).toContain("[Console]::Error.WriteLine"); + expect(ps).toContain("Out-String"); expect(ps).not.toContain("Write-Host $verifyOutput"); }); + test("all installers reject --verify-attestation + --skip-attestation together", () => { + // Regression guard: passing both flags used to behave inconsistently + // across the three installers (bash/cmd took last-wins by command- + // line order; ps1 took a fixed SkipAttestation-always-wins). No sane + // user passes both, so the right behavior is to reject the ambiguous + // combination upfront with a clean "mutually exclusive" error. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + + // install.sh — guards in both --verify-attestation and --skip-attestation arms + expect(sh).toContain("mutually exclusive"); + // install.cmd — same guard in both arms + expect(cmdScript).toContain("mutually exclusive"); + // install.ps1 — one guard right after param block + expect(ps).toContain("mutually exclusive"); + expect(ps).toMatch(/\$VerifyAttestation -and \$SkipAttestation/); + }); + + test("install.cmd uses randomized temp paths for release.json and binary download", () => { + // Regression guard: fixed temp filenames (%TEMP%\release.json, + // %TEMP%\plannotator-.exe) collide between concurrent invocations + // and allow a same-user pre-placed symlink to redirect curl's output. + // The GH_OUTPUT temp file already uses %RANDOM%; the other two must + // match that pattern. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + expect(cmdScript).toContain("plannotator-release-%RANDOM%.json"); + expect(cmdScript).toContain("plannotator-%RANDOM%.exe"); + // And the fixed paths must be gone + expect(cmdScript).not.toContain("%TEMP%\\release.json"); + expect(cmdScript).not.toMatch(/%TEMP%\\plannotator-!TAG!\.exe/); + }); + + test("install.cmd uses substring test (not echo|findstr) for v-prefix normalization", () => { + // Regression guard: `echo !TAG! | findstr /b "v"` pipes an unquoted + // expanded variable, re-exposing cmd metacharacters (& | > <) in + // the value before the pipe parses. Must use the safe substring + // test pattern used elsewhere in the script. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + expect(cmdScript).toContain('if not "!TAG:~0,1!"=="v"'); + expect(cmdScript).not.toContain("echo !TAG! | findstr"); + }); + test("all installers constrain attestation verify to tag + signer workflow", () => { // Every `gh attestation verify` call must pass --source-ref and // --signer-workflow, not just --repo. Without --source-ref a From a221b84278548f2e7521e8931c8bc74ad06eedd8 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 14:49:47 -0700 Subject: [PATCH 09/24] fix(install.cmd): randomize checksum temp path + tighten test assertions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-review catch on top of the cycle 5 commit: - `%TEMP%\checksum.txt` (lines 164/172/174) was still a fixed predictable path. Same concurrency + symlink-pre-placement class as release.json and TEMP_FILE that cycle 5 fixed. Inconsistent to fix two of three and leave the third. Renamed to `%TEMP%\plannotator-checksum-%RANDOM%.txt` matching the established pattern. The reviewer didn't flag this one — I missed it during the cycle 5 sweep. - Tightened the Out-String regression test from a weak "Out-String appears somewhere in the file" check to a regex matching the specific `$verifyOutput | Out-String` wiring. Previous assertion would have passed even if some future bug accidentally wrapped the mutex-guard string literal in Out-String while leaving $verifyOutput unprotected. - Expanded the randomized-temp-paths test to cover all four curl download targets (release.json, binary, checksum sidecar, gh output capture) rather than the two originally in scope, and to assert the old fixed paths (including checksum.txt) are gone. 35 tests still pass. For provenance purposes, this commit was AI assisted. --- scripts/install.cmd | 10 ++++++---- scripts/install.test.ts | 21 +++++++++++++-------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/scripts/install.cmd b/scripts/install.cmd index 54d21c57..35e15419 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -160,8 +160,10 @@ if !ERRORLEVEL! neq 0 ( exit /b 1 ) -REM Download checksum -curl -fsSL "!CHECKSUM_URL!" -o "%TEMP%\checksum.txt" +REM Download checksum to a randomized temp path for the same reason as +REM the binary download above (concurrent collision + symlink pre-placement). +set "CHECKSUM_FILE=%TEMP%\plannotator-checksum-%RANDOM%.txt" +curl -fsSL "!CHECKSUM_URL!" -o "!CHECKSUM_FILE!" if !ERRORLEVEL! neq 0 ( echo Failed to download checksum >&2 del "!TEMP_FILE!" @@ -169,9 +171,9 @@ if !ERRORLEVEL! neq 0 ( ) REM Extract expected checksum (first field) -set /p EXPECTED_CHECKSUM=<"%TEMP%\checksum.txt" +set /p EXPECTED_CHECKSUM=<"!CHECKSUM_FILE!" for /f "tokens=1" %%i in ("!EXPECTED_CHECKSUM!") do set "EXPECTED_CHECKSUM=%%i" -del "%TEMP%\checksum.txt" +del "!CHECKSUM_FILE!" REM Verify checksum using certutil set "ACTUAL_CHECKSUM=" diff --git a/scripts/install.test.ts b/scripts/install.test.ts index a78203e8..0bd8a447 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -261,8 +261,10 @@ describe("install shared behavior", () => { // "System.Object[]" instead of the actual gh diagnostic — silently // hiding exactly the error message this code path is supposed to // surface. Must be normalized via Out-String first. + // Tighter assertion: the Out-String must be wired specifically on + // the $verifyOutput path, not just present somewhere in the file. + expect(ps).toMatch(/\$verifyOutput\s*\|\s*Out-String/); expect(ps).toContain("[Console]::Error.WriteLine"); - expect(ps).toContain("Out-String"); expect(ps).not.toContain("Write-Host $verifyOutput"); }); @@ -283,17 +285,20 @@ describe("install shared behavior", () => { expect(ps).toMatch(/\$VerifyAttestation -and \$SkipAttestation/); }); - test("install.cmd uses randomized temp paths for release.json and binary download", () => { - // Regression guard: fixed temp filenames (%TEMP%\release.json, - // %TEMP%\plannotator-.exe) collide between concurrent invocations - // and allow a same-user pre-placed symlink to redirect curl's output. - // The GH_OUTPUT temp file already uses %RANDOM%; the other two must - // match that pattern. + test("install.cmd uses randomized temp paths for all curl downloads", () => { + // Regression guard: fixed temp filenames collide between concurrent + // invocations and allow same-user symlink pre-placement to redirect + // curl's output. Every `-o` target in install.cmd must use %RANDOM%. + // Covers release.json, the binary itself, the checksum sidecar, and + // the gh attestation output capture. const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); expect(cmdScript).toContain("plannotator-release-%RANDOM%.json"); expect(cmdScript).toContain("plannotator-%RANDOM%.exe"); - // And the fixed paths must be gone + expect(cmdScript).toContain("plannotator-checksum-%RANDOM%.txt"); + expect(cmdScript).toContain("plannotator-gh-%RANDOM%.txt"); + // And every fixed-path variant must be gone expect(cmdScript).not.toContain("%TEMP%\\release.json"); + expect(cmdScript).not.toContain("%TEMP%\\checksum.txt"); expect(cmdScript).not.toMatch(/%TEMP%\\plannotator-!TAG!\.exe/); }); From a226a8fe4fb796cb360af14687d2cfd7a29b22c3 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 15:24:35 -0700 Subject: [PATCH 10/24] fix(install.cmd): escape ! in Claude Code slash command files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pre-existing bug flagged in PR #512 review cycle 6. install.cmd writes the three Claude Code slash command files (plannotator-review.md, plannotator-annotate.md, plannotator-last.md) via `echo` lines inside `setlocal enabledelayedexpansion`. cmd.exe's Phase 2 parser strips unmatched `!` characters — so lines like: echo !`plannotator review $ARGUMENTS` ended up in the written file as: `plannotator review $ARGUMENTS` without the leading `!`. The `!` prefix is what tells Claude Code to execute the backtick block as a shell command; without it, Claude Code renders the line as inline markdown code and the slash command is a silent no-op. The install appeared to succeed, but every Windows cmd user got three broken slash command files. install.sh (single-quoted heredocs) and install.ps1 (single-quoted here-strings) write the `!` correctly because their respective literal-string idioms bypass shell expansion entirely. install.cmd has no single-quote-literal equivalent — its escape hatch is `^!`. The Gemini section of install.cmd (lines 482, 495) already uses `^!` correctly; the Claude Code section didn't until now. Fix: three characters — `echo !` → `echo ^!` on lines 334, 351, 368. Brings install.cmd into parity with the other two installers. No divergence introduced; existing divergence removed. Two regression guards added: - Unit test in install.test.ts asserts install.cmd contains the escaped form for all three command files and does not contain the unescaped form. - New step in the Windows CI integration job reads back each generated .md file from %USERPROFILE%\.claude\commands\ and asserts it contains the literal `!`\`plannotator` prefix. Catches the bug at the actual file-write level on a real Windows runner, not just via source-code grep. 36 install tests pass (was 35). Note: the broader architectural issue — all three installers carry hand-typed duplicates of command content that already lives at apps/hook/commands/*.md — is deferred to a follow-up issue. The cmd bug is the visibly-broken symptom; the deduplication is the long-term fix. For provenance purposes, this commit was AI assisted. --- .github/workflows/test.yml | 28 ++++++++++++++++++++++++++++ scripts/install.cmd | 6 +++--- scripts/install.test.ts | 18 ++++++++++++++++++ 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 36feea5b..80ef0011 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -146,6 +146,34 @@ jobs: Write-Host "✓ Gemini settings.json merge verified (issue #506 regression guard)" + - name: Verify Claude Code slash command files contain the shell-invocation prefix + shell: pwsh + run: | + # Regression guard: install.cmd previously wrote `echo !`plannotator + # review $ARGUMENTS`` (note the unescaped `!`) under + # setlocal enabledelayedexpansion, which silently stripped the `!` + # from the written .md file. Without the `!` prefix, Claude Code + # renders the backtick block as inline markdown code and the slash + # command is a silent no-op when invoked — the install appears + # successful but the command does nothing. + # + # install.sh and install.ps1 already write the `!` correctly via + # single-quoted heredocs / here-strings. This step checks that + # install.cmd now matches (via `echo ^!`) and catches future + # regressions of the same class. + $cmdDir = "$env:USERPROFILE\.claude\commands" + foreach ($file in @("plannotator-review.md", "plannotator-annotate.md", "plannotator-last.md")) { + $path = Join-Path $cmdDir $file + if (-not (Test-Path $path)) { + throw "Expected slash command file missing: $path" + } + $content = Get-Content $path -Raw + if ($content -notmatch '!`plannotator') { + throw "Slash command file $file is missing the '!' shell-invocation prefix. Content: $content" + } + } + Write-Host "✓ All three Claude Code slash command files contain the '!' prefix" + - name: Unknown flag is rejected with non-zero exit shell: pwsh run: | diff --git a/scripts/install.cmd b/scripts/install.cmd index 35e15419..9c3a9a56 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -331,7 +331,7 @@ echo --- echo. echo ## Code Review Feedback echo. -echo !`plannotator review $ARGUMENTS` +echo ^!`plannotator review $ARGUMENTS` echo. echo ## Your task echo. @@ -348,7 +348,7 @@ echo --- echo. echo ## Markdown Annotations echo. -echo !`plannotator annotate $ARGUMENTS` +echo ^!`plannotator annotate $ARGUMENTS` echo. echo ## Your task echo. @@ -365,7 +365,7 @@ echo --- echo. echo ## Message Annotations echo. -echo !`plannotator annotate-last` +echo ^!`plannotator annotate-last` echo. echo ## Your task echo. diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 0bd8a447..12a39672 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -302,6 +302,24 @@ describe("install shared behavior", () => { expect(cmdScript).not.toMatch(/%TEMP%\\plannotator-!TAG!\.exe/); }); + test("install.cmd escapes ! in Claude Code slash command echoes", () => { + // Regression guard: under setlocal enabledelayedexpansion, an unmatched + // `!` in an echo line is silently stripped from the written file. The + // Claude Code slash command format requires a `!` prefix before the + // backtick-delimited shell invocation — without it, the command file + // is a functional no-op. install.sh and install.ps1 write the `!` + // correctly via their respective literal-string idioms; install.cmd + // must use `^!` to escape it from delayed expansion. The Gemini + // section of install.cmd already does this correctly — the Claude + // Code section didn't until this fix. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + expect(cmdScript).toContain("echo ^!`plannotator review $ARGUMENTS`"); + expect(cmdScript).toContain("echo ^!`plannotator annotate $ARGUMENTS`"); + expect(cmdScript).toContain("echo ^!`plannotator annotate-last`"); + // And the unescaped forms must be gone + expect(cmdScript).not.toMatch(/^echo !`plannotator/m); + }); + test("install.cmd uses substring test (not echo|findstr) for v-prefix normalization", () => { // Regression guard: `echo !TAG! | findstr /b "v"` pipes an unquoted // expanded variable, re-exposing cmd metacharacters (& | > <) in From a1e45ba1450b97d6c9290e1df391845a36b05d91 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 15:34:28 -0700 Subject: [PATCH 11/24] fix(install.cmd): double-caret escape for ! in slash command echoes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous fix used `echo ^!` for the three Claude Code slash command files. The Windows CI integration job's new file-readback assertion proved this is wrong: the generated plannotator-review.md still landed with no `!` prefix, making the slash command a silent no-op as before. Root cause: cmd has two escape phases under enabledelayedexpansion. Phase 1 (parse time): `^` escapes the next char. `^!` → `!`. The caret is consumed. Phase 2 (delayed expansion): the remaining bare `!` is an unmatched variable reference and gets stripped. Single `^!` dies in Phase 2 because Phase 1 already ate the caret. Double `^^!` survives: Phase 1 reduces `^^` to `^` (leaving `^!`), Phase 2 treats the caret as an escape for `!` and emits a literal. Cycle 6's fix got the direction right but the arithmetic wrong. The new file-readback assertion in test.yml caught it on the first real CI run, which is exactly why that assertion was added. Also fixes the Gemini slash command echoes (lines 482, 495) which used the identical incorrect `^!` pattern. The review comment flagged Gemini as "correct" based on source-reading alone; there was never any CI coverage for the Gemini file contents, and the Gemini section was silently broken for the same reason. Both sections now use `^^!`. Unit test updated to assert the double-caret form on all five echo lines (three Claude Code, two Gemini) and reject both the unescaped and single-caret variants. For provenance purposes, this commit was AI assisted. --- scripts/install.cmd | 10 +++++----- scripts/install.test.ts | 37 +++++++++++++++++++++++-------------- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/scripts/install.cmd b/scripts/install.cmd index 9c3a9a56..620a9ea5 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -331,7 +331,7 @@ echo --- echo. echo ## Code Review Feedback echo. -echo ^!`plannotator review $ARGUMENTS` +echo ^^!`plannotator review $ARGUMENTS` echo. echo ## Your task echo. @@ -348,7 +348,7 @@ echo --- echo. echo ## Markdown Annotations echo. -echo ^!`plannotator annotate $ARGUMENTS` +echo ^^!`plannotator annotate $ARGUMENTS` echo. echo ## Your task echo. @@ -365,7 +365,7 @@ echo --- echo. echo ## Message Annotations echo. -echo ^!`plannotator annotate-last` +echo ^^!`plannotator annotate-last` echo. echo ## Your task echo. @@ -479,7 +479,7 @@ echo description = "Open interactive code review for current changes or a PR URL echo prompt = """ echo ## Code Review Feedback echo. -echo ^!{plannotator review {{args}}} +echo ^^!{plannotator review {{args}}} echo. echo ## Your task echo. @@ -492,7 +492,7 @@ echo description = "Open interactive annotation UI for a markdown file or folder echo prompt = """ echo ## Markdown Annotations echo. -echo ^!{plannotator annotate {{args}}} +echo ^^!{plannotator annotate {{args}}} echo. echo ## Your task echo. diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 12a39672..0ae04a78 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -302,22 +302,31 @@ describe("install shared behavior", () => { expect(cmdScript).not.toMatch(/%TEMP%\\plannotator-!TAG!\.exe/); }); - test("install.cmd escapes ! in Claude Code slash command echoes", () => { - // Regression guard: under setlocal enabledelayedexpansion, an unmatched - // `!` in an echo line is silently stripped from the written file. The - // Claude Code slash command format requires a `!` prefix before the - // backtick-delimited shell invocation — without it, the command file - // is a functional no-op. install.sh and install.ps1 write the `!` - // correctly via their respective literal-string idioms; install.cmd - // must use `^!` to escape it from delayed expansion. The Gemini - // section of install.cmd already does this correctly — the Claude - // Code section didn't until this fix. + test("install.cmd double-escapes ! in Claude Code and Gemini slash command echoes", () => { + // Regression guard: under setlocal enabledelayedexpansion, preserving a + // literal `!` through both cmd parser phases requires `^^!`, not `^!`. + // Phase 1 consumes one caret (`^^` → `^`), Phase 2 consumes the second + // (`^!` → `!`). A single `^!` gets converted to `!` by Phase 1 and then + // stripped by Phase 2 because it's an unmatched delayed-expansion + // reference — yielding a written file with no `!` at all. This was + // caught by the Windows CI integration step reading back the generated + // command files, after an earlier "fix" with single-caret escape + // silently continued to drop the prefix. + // + // Also covers the Gemini section, which used the same incorrect + // single-caret escape and was equally broken (but had no CI coverage). const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); - expect(cmdScript).toContain("echo ^!`plannotator review $ARGUMENTS`"); - expect(cmdScript).toContain("echo ^!`plannotator annotate $ARGUMENTS`"); - expect(cmdScript).toContain("echo ^!`plannotator annotate-last`"); - // And the unescaped forms must be gone + // Claude Code slash commands (three files) + expect(cmdScript).toContain("echo ^^!`plannotator review $ARGUMENTS`"); + expect(cmdScript).toContain("echo ^^!`plannotator annotate $ARGUMENTS`"); + expect(cmdScript).toContain("echo ^^!`plannotator annotate-last`"); + // Gemini slash commands (two files) + expect(cmdScript).toContain("echo ^^!{plannotator review {{args}}}"); + expect(cmdScript).toContain("echo ^^!{plannotator annotate {{args}}}"); + // And the single-caret and unescaped forms must be gone expect(cmdScript).not.toMatch(/^echo !`plannotator/m); + expect(cmdScript).not.toMatch(/^echo \^!`plannotator/m); + expect(cmdScript).not.toMatch(/^echo \^!{plannotator/m); }); test("install.cmd uses substring test (not echo|findstr) for v-prefix normalization", () => { From 33c5ee7f4bbb551745e82042196859e7288330cb Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 15:58:20 -0700 Subject: [PATCH 12/24] fix(install.ps1): fall back to x64 on ARM64 Windows instead of 404ing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pre-existing bug surfaced in PR #512 review cycle 7. install.ps1 detected ARM64 correctly and set $arch=arm64, constructing a URL for plannotator-win32-arm64.exe — which doesn't exist in any release. The release pipeline only builds bun-windows-x64 (release.yml line 88), so there is no native ARM64 Windows binary to download. With $ErrorActionPreference=Stop set at the top of the script, the resulting 404 on Invoke-WebRequest threw a terminating error and the install aborted with a stack trace. ARM64 Windows PowerShell users could not install plannotator at all. Meanwhile install.cmd, which hardcodes PLATFORM=win32-x64 and lets ARM64 hosts pass the arch check, silently installs the x64 binary and relies on Windows 11's x86-64 emulation layer to run it. This is accidentally the useful behavior — imperfect, but the user gets a working install instead of a hard failure. This commit brings install.ps1 into parity with install.cmd's (accidentally correct) behavior: - On 64-bit Windows, $arch is unconditionally "x64" — no more branch for arm64 that would download a nonexistent binary. - When PROCESSOR_ARCHITECTURE == ARM64, Write-Host prints a notice telling the user they're getting the x64 binary via Windows emulation so the behavior isn't silent. - 32-bit Windows still errors out (unchanged). Both Windows installer paths now produce a working install on both x64 and ARM64 hosts. No release pipeline changes. No new binaries. The test `detects ARM64 architecture` used to be a weak string- presence check that passed whether the ARM64 branch selected arm64 or x64. Rewrote it to assert the actual new contract: ARM64 is detected (for the notice), $arch is hardcoded to "x64", and the previous `{ "arm64" }` branch is gone so the regression can't silently return. Native ARM64 Windows builds tracked as a follow-up — requires verifying Bun's Windows ARM64 target support and adding bun-windows-arm64 to the release matrix. For provenance purposes, this commit was AI assisted. --- scripts/install.ps1 | 16 +++++++++++++--- scripts/install.test.ts | 17 ++++++++++++++++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 36804ffb..22ef64f5 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -18,9 +18,19 @@ if ($VerifyAttestation -and $SkipAttestation) { $repo = "backnotprop/plannotator" $installDir = "$env:LOCALAPPDATA\plannotator" -# Detect architecture -$arch = if ([Environment]::Is64BitOperatingSystem) { - if ($env:PROCESSOR_ARCHITECTURE -eq "ARM64") { "arm64" } else { "x64" } +# Detect architecture. We don't currently ship a native ARM64 Windows +# binary — the release pipeline only builds bun-windows-x64. Windows 11 +# runs x64 binaries on ARM64 via emulation, so fall back to x64 on ARM64 +# hosts rather than hard-failing with a 404 on a binary we don't publish. +# install.cmd already (accidentally) does the same thing by hardcoding +# its PLATFORM to win32-x64; this brings install.ps1 into parity so both +# Windows installer paths produce a working install on ARM64. +# Native ARM64 Windows builds tracked as a follow-up. +if ([Environment]::Is64BitOperatingSystem) { + if ($env:PROCESSOR_ARCHITECTURE -eq "ARM64") { + Write-Host "ARM64 Windows detected — installing x64 binary (runs via Windows emulation)." + } + $arch = "x64" } else { Write-Error "32-bit Windows is not supported" exit 1 diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 0ae04a78..8859a6df 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -92,8 +92,23 @@ describe("install.ps1", () => { expect(script).toContain("UTF8.GetString"); }); - test("detects ARM64 architecture", () => { + test("ARM64 Windows falls back to x64 binary via Windows emulation", () => { + // We don't ship a native ARM64 Windows binary — release.yml builds + // only bun-windows-x64 — so install.ps1 must not select arm64 and + // then 404 on a non-existent binary. Instead, always set $arch=x64 + // on 64-bit Windows and print a notice when ARM64 is detected so + // users know they're running via emulation. + // + // Verify three things: + // 1. ARM64 is still detected (for the notice) + // 2. $arch is hardcoded to "x64" on 64-bit systems + // 3. The old `"arm64"` literal is not present as an $arch value expect(script).toContain('"ARM64"'); + expect(script).toContain('$arch = "x64"'); + expect(script).toContain("runs via Windows emulation"); + // The previous code had `{ "arm64" } else { "x64" }` — make sure the + // arm64 branch is gone so we can't regress to a 404 install. + expect(script).not.toMatch(/{\s*"arm64"\s*}/); }); test("adds to PATH via environment variable", () => { From f4776000f338a679866a5857a5aee2bdaa6b8acd Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 16:25:30 -0700 Subject: [PATCH 13/24] fix(install): pre-flight MIN_ATTESTED_VERSION guard + placeholder docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #512 cycle 7 review surfaced that opt-in provenance verification was dead-on-arrival for the window between this PR merging and the first post-merge release: - The docs showed `--version v0.17.1` as the pinned example. v0.17.1 was cut before this PR added attestation generation to release.yml, so any user copy-pasting the example AND enabling verification would hit a cryptic `gh: no attestations found` error and a hard install failure. - Default installs with verification enabled (via flag, env var, or config file) resolve `latest` to v0.17.1 and hit the same failure with no user-visible pinned version to "blame." Medium fix (better error message) was dismissed as lipstick — the install still fails, just with nicer wording. This is the maximum fix that actually prevents the failure path by checking the resolved tag against a hardcoded floor BEFORE downloading. ## Changes `scripts/install.sh`: - New `MIN_ATTESTED_VERSION="v0.18.0"` constant near the top - New `version_ge` helper using `sort -V` (handles v0.9.0 vs v0.10.0) - Moved three-layer verification resolution (config → env → flag) to before the download so $verify_attestation is known in time to gate network work - New pre-flight check: if verification is requested and the resolved tag is older than MIN_ATTESTED_VERSION, fail fast with a clean message listing recovery options (pin to newer version, --skip-attestation, or unset the env var / config). No binary download, no wasted SHA256 check. - Late `gh attestation verify` block now only handles the gh call itself — resolution and pre-flight moved upstream. `scripts/install.ps1`: - New `$minAttestedVersion = "v0.18.0"` constant - Pre-flight guard in the verification branch using PowerShell's [version] class for proper numeric comparison - Same error message content as install.sh `scripts/install.cmd`: - New `set "MIN_ATTESTED_VERSION=v0.18.0"` near REPO setup - Pre-flight guard shells out to PowerShell for semver comparison — Windows 10+ ships `powershell.exe` always, so no new runtime dependency. Hand-parsing semver in cmd was tried and rejected as too fragile for prerelease tags and non-numeric components. `apps/marketing/.../installation.md`, `apps/hook/README.md`, `README.md`, `scripts/install.sh --help`: - Replaced every user-facing `v0.17.1` example with `vX.Y.Z` placeholder. The placeholder pattern already exists in the "Verifying your install" section, so this is just consistency. - install.sh --help adds a link to the releases page so users know where to find actual tag values. `.agents/skills/release/SKILL.md`: - New Phase 4 checklist step: before shipping the first attested release, verify MIN_ATTESTED_VERSION in all three installers matches the tag being cut. The constant is bumped ONCE and never again — it's a permanent floor, not a moving target. If the first post-merge release is not v0.18.0, the skill updates the constant in the same commit as the version bump so the installers served from plannotator.ai activate the new floor at the same moment the first attested release becomes fetchable. `scripts/install.test.ts`: - New test asserts all three installers hardcode MIN_ATTESTED_VERSION, use appropriate version comparison for their dialect, and contain the "predates" error message - New test asserts install.sh and --help text no longer contain `v0.17.1` as a pinned example 38 install tests pass (was 36). Smoke-tested install.sh end-to-end: - `--version v0.17.1 --verify-attestation` → pre-flight rejects cleanly, no download attempted, exit 1 with actionable error - `--version v0.18.0 --verify-attestation` → pre-flight passes, script proceeds to download (404 as expected since v0.18.0 is not yet released) - `--version v0.17.1` (no verify) → pre-flight skipped, normal download path For provenance purposes, this commit was AI assisted. --- .agents/skills/release/SKILL.md | 14 +++ README.md | 4 +- apps/hook/README.md | 6 +- .../docs/getting-started/installation.md | 6 +- scripts/install.cmd | 24 +++++ scripts/install.ps1 | 26 +++++ scripts/install.sh | 96 ++++++++++++++----- scripts/install.test.ts | 38 ++++++++ 8 files changed, 180 insertions(+), 34 deletions(-) diff --git a/.agents/skills/release/SKILL.md b/.agents/skills/release/SKILL.md index e86632d1..1531591b 100644 --- a/.agents/skills/release/SKILL.md +++ b/.agents/skills/release/SKILL.md @@ -195,6 +195,20 @@ If anything is missing, fix it before proceeding to Phase 4. Common fixes: **Note on immutable releases:** The repo has GitHub Immutable Releases enabled, so once the `v*` tag is pushed and the release is created, the tag→commit and tag→asset bindings are permanent. You cannot delete and re-create a tag to "fix" a bad release — you must ship a new version. Release notes remain editable (see step 5), but everything else is locked. + **⚠️ One-time `MIN_ATTESTED_VERSION` bump — only for the first attested release (v0.18.0 expected):** + + The three installers (`scripts/install.sh`, `scripts/install.ps1`, `scripts/install.cmd`) each hardcode a `MIN_ATTESTED_VERSION` constant. This constant exists to reject `--verify-attestation` / `PLANNOTATOR_VERIFY_ATTESTATION=1` / `verifyAttestation: true` requests for any release that predates provenance support, with a clean error pointing the user at `--skip-attestation` or pinning to a newer version. Otherwise users would see a cryptic `gh attestation verify: no attestations found` error. + + Before shipping the first attested release, verify `MIN_ATTESTED_VERSION` in all three installers matches the version you're about to cut: + + ```bash + grep -n "MIN_ATTESTED_VERSION" scripts/install.sh scripts/install.ps1 scripts/install.cmd + ``` + + Expected value: the exact tag you're releasing (e.g. `v0.18.0`). If the release version is different from the currently-hardcoded value, bump it in all three files **in the same commit as the version bump** so the installers on `plannotator.ai` (served from `main`) activate the constant at the same moment the first attested release becomes fetchable. + + After the first attested release has shipped, this constant does NOT need to be bumped on subsequent releases. It is a floor, not a moving target — leave it at whatever the first attested version was. + 4. **Monitor the pipeline:** Watch the release workflow run until it completes: ```bash diff --git a/README.md b/README.md index d5fe6855..a648c5ad 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ Plannotator lets you privately share plans, annotations, and feedback with colle curl -fsSL https://plannotator.ai/install.sh | bash # Pin to a specific reviewed version -curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version vX.Y.Z ``` **Windows PowerShell:** @@ -80,7 +80,7 @@ curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 irm https://plannotator.ai/install.ps1 | iex # Pin to a specific reviewed version -& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 +& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version vX.Y.Z ``` Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. For manual verification commands and opt-in auto-verification during upgrades, see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). diff --git a/apps/hook/README.md b/apps/hook/README.md index 100850db..7ada58b9 100644 --- a/apps/hook/README.md +++ b/apps/hook/README.md @@ -12,7 +12,7 @@ Install the `plannotator` command so Claude Code can use it: curl -fsSL https://plannotator.ai/install.sh | bash # Pin to a specific reviewed version -curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version vX.Y.Z ``` **Windows PowerShell:** @@ -21,7 +21,7 @@ curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 irm https://plannotator.ai/install.ps1 | iex # Pin to a specific reviewed version -& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 +& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version vX.Y.Z ``` **Windows CMD:** @@ -29,7 +29,7 @@ irm https://plannotator.ai/install.ps1 | iex curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd && del install.cmd REM Pin to a specific reviewed version -curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version v0.17.1 && del install.cmd +curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version vX.Y.Z && del install.cmd ``` Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. For manual verification commands and the opt-in auto-verification flags, see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). diff --git a/apps/marketing/src/content/docs/getting-started/installation.md b/apps/marketing/src/content/docs/getting-started/installation.md index e1929e99..9f91bd2b 100644 --- a/apps/marketing/src/content/docs/getting-started/installation.md +++ b/apps/marketing/src/content/docs/getting-started/installation.md @@ -19,7 +19,7 @@ Install the `plannotator` command so your agent can use it. curl -fsSL https://plannotator.ai/install.sh | bash # Pin to a specific reviewed version -curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 +curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version vX.Y.Z ``` **Windows PowerShell:** @@ -29,7 +29,7 @@ curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 irm https://plannotator.ai/install.ps1 | iex # Pin to a specific reviewed version -& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version v0.17.1 +& ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version vX.Y.Z ``` **Windows CMD:** @@ -38,7 +38,7 @@ irm https://plannotator.ai/install.ps1 | iex curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd && del install.cmd REM Pin to a specific reviewed version -curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version v0.17.1 && del install.cmd +curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version vX.Y.Z && del install.cmd ``` The install script respects `CLAUDE_CONFIG_DIR` if set, placing hooks in your custom config directory instead of `~/.claude`. diff --git a/scripts/install.cmd b/scripts/install.cmd index 620a9ea5..0ae07ea1 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -85,6 +85,11 @@ set "REPO=backnotprop/plannotator" set "INSTALL_DIR=%USERPROFILE%\.local\bin" set "PLATFORM=win32-x64" +REM First plannotator release that carries SLSA build-provenance attestations. +REM See scripts/install.sh for the full explanation — this constant is +REM bumped once at the first attested release via the release skill. +set "MIN_ATTESTED_VERSION=v0.18.0" + REM Check for 64-bit Windows if /i "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto :arch_valid if /i "%PROCESSOR_ARCHITECTURE%"=="ARM64" goto :arch_valid @@ -213,6 +218,25 @@ if "!VERIFY_ATTESTATION_FLAG!"=="1" set "VERIFY_ATTESTATION=1" if "!VERIFY_ATTESTATION_FLAG!"=="0" set "VERIFY_ATTESTATION=0" if "!VERIFY_ATTESTATION!"=="1" ( + REM Pre-flight: reject the verification request before downloading if + REM the resolved tag predates provenance support. Uses PowerShell's + REM [version] class for proper semver comparison. Windows 10+ ships + REM powershell.exe always, so this doesn't add a runtime dependency. + set "TAG_NUM=!TAG:v=!" + set "MIN_NUM=!MIN_ATTESTED_VERSION:v=!" + set "VERSION_OK=" + for /f "delims=" %%i in ('powershell -NoProfile -Command "try { if ([version]'!TAG_NUM!' -ge [version]'!MIN_NUM!') { 'yes' } } catch {}"') do set "VERSION_OK=%%i" + if not "!VERSION_OK!"=="yes" ( + echo Provenance verification was requested, but !TAG! predates >&2 + echo plannotator's attestation support. The first release carrying >&2 + echo signed build provenance is !MIN_ATTESTED_VERSION!. Options: >&2 + echo - Pin to !MIN_ATTESTED_VERSION! or later: --version !MIN_ATTESTED_VERSION! >&2 + echo - Install without provenance verification: --skip-attestation >&2 + echo - Or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation >&2 + echo from %USERPROFILE%\.plannotator\config.json >&2 + del "!TEMP_FILE!" + exit /b 1 + ) where gh >nul 2>&1 if !ERRORLEVEL! equ 0 ( REM Capture combined output to a randomized temp file so gh's diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 22ef64f5..8494cafc 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -18,6 +18,11 @@ if ($VerifyAttestation -and $SkipAttestation) { $repo = "backnotprop/plannotator" $installDir = "$env:LOCALAPPDATA\plannotator" +# First plannotator release that carries SLSA build-provenance attestations. +# See scripts/install.sh for the full explanation — this constant is bumped +# once at the first attested release via the release skill. +$minAttestedVersion = "v0.18.0" + # Detect architecture. We don't currently ship a native ARM64 Windows # binary — the release pipeline only builds bun-windows-x64. Windows 11 # runs x64 binaries on ARM64 via emulation, so fall back to x64 on ARM64 @@ -136,6 +141,27 @@ if ($VerifyAttestation) { $verifyAttestationResolved = $true } if ($SkipAttestation) { $verifyAttestationResolved = $false } if ($verifyAttestationResolved) { + # Pre-flight: reject the verification request before downloading if the + # resolved tag predates provenance support. Uses PowerShell's [version] + # class for proper numeric comparison (unlike lexicographic string cmp + # which gets v0.9.0 vs v0.10.0 backwards). + try { + $resolvedVersion = [version]($latestTag -replace '^v', '') + $minVersion = [version]($minAttestedVersion -replace '^v', '') + } catch { + Remove-Item $tmpFile -Force + Write-Error "Could not parse version tags for provenance check: latest=$latestTag min=$minAttestedVersion" + exit 1 + } + if ($resolvedVersion -lt $minVersion) { + Remove-Item $tmpFile -Force + [Console]::Error.WriteLine("Provenance verification was requested, but $latestTag predates plannotator's attestation support.") + [Console]::Error.WriteLine("The first release carrying signed build provenance is $minAttestedVersion. Options:") + [Console]::Error.WriteLine(" - Pin to $minAttestedVersion or later: -Version $minAttestedVersion") + [Console]::Error.WriteLine(" - Install without provenance verification: -SkipAttestation") + [Console]::Error.WriteLine(" - Or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation from $configPath") + exit 1 + } if (Get-Command gh -ErrorAction SilentlyContinue) { # Constrain verification to the exact tag + signing workflow — see # install.sh comment for rationale. diff --git a/scripts/install.sh b/scripts/install.sh index ddc6557b..2ff29d4a 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -4,6 +4,24 @@ set -e REPO="backnotprop/plannotator" INSTALL_DIR="$HOME/.local/bin" +# First plannotator release that carries SLSA build-provenance attestations. +# Releases before this tag were cut before release.yml added the +# `actions/attest-build-provenance` step, so `gh attestation verify` will +# fail with "no attestations found" for them regardless of authenticity. +# When provenance verification is enabled (via flag, env var, or +# ~/.plannotator/config.json), the installer compares the resolved tag +# against this constant and fails fast with a clear message instead of +# downloading a binary, running SHA256, and then hitting a cryptic gh +# failure. Bumped once at the first attested release via the release skill. +MIN_ATTESTED_VERSION="v0.18.0" + +# Compare two vMAJOR.MINOR.PATCH tags. Returns 0 (success) if $1 >= $2. +# Uses `sort -V` (version sort) which handles minor/patch width correctly +# unlike plain lexicographic comparison (e.g. v0.9.0 vs v0.10.0). +version_ge() { + [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n 1)" = "$1" ] +} + VERSION="latest" # Tracks whether a version was explicitly set via --version or positional. # Used to reject mixing --version with a stray positional token, @@ -20,7 +38,8 @@ Usage: install.sh [--version ] [--verify-attestation | --skip-attestation] install.sh Options: - --version Install a specific version (e.g. v0.17.1 or 0.17.1). + --version Install a specific version (e.g. vX.Y.Z or X.Y.Z; + see https://github.com/backnotprop/plannotator/releases). Defaults to the latest GitHub release. --verify-attestation Require SLSA build-provenance verification via `gh attestation verify`. Fails the install if gh is @@ -36,9 +55,9 @@ Provenance verification is off by default. Enable it by any of: Examples: curl -fsSL https://plannotator.ai/install.sh | bash - curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.1 + curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version vX.Y.Z curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation - bash install.sh v0.17.1 + bash install.sh vX.Y.Z USAGE } @@ -163,29 +182,11 @@ fi echo "Installing plannotator ${latest_tag}..." -binary_url="https://github.com/${REPO}/releases/download/${latest_tag}/${binary_name}" -checksum_url="${binary_url}.sha256" - -mkdir -p "$INSTALL_DIR" - -tmp_file=$(mktemp) -curl -fsSL -o "$tmp_file" "$binary_url" - -expected_checksum=$(curl -fsSL "$checksum_url" | cut -d' ' -f1) - -if [ "$(uname -s)" = "Darwin" ]; then - actual_checksum=$(shasum -a 256 "$tmp_file" | cut -d' ' -f1) -else - actual_checksum=$(sha256sum "$tmp_file" | cut -d' ' -f1) -fi - -if [ "$actual_checksum" != "$expected_checksum" ]; then - echo "Checksum verification failed!" >&2 - rm -f "$tmp_file" - exit 1 -fi - -# Resolve SLSA build-provenance verification opt-in. +# Resolve SLSA build-provenance verification opt-in BEFORE the download so we +# can fail fast without wasting bandwidth if the requested tag predates +# provenance support. The three layers (config file, env var, CLI flag) are +# all cheap to check — no reason to defer this past the arg parse. +# # Precedence: CLI flag > env var > ~/.plannotator/config.json > default (off). verify_attestation=0 @@ -209,7 +210,50 @@ if [ "$VERIFY_ATTESTATION_FLAG" -ne -1 ]; then verify_attestation="$VERIFY_ATTESTATION_FLAG" fi +# Pre-flight: if verification is requested, reject tags older than the first +# attested release before we download anything. This catches both explicit +# `--version ` and implicit `latest`-resolves-to-old-tag cases with +# a clean, actionable error — no cryptic `gh: no attestations found` after +# a wasted download. +if [ "$verify_attestation" -eq 1 ]; then + if ! version_ge "$latest_tag" "$MIN_ATTESTED_VERSION"; then + echo "Provenance verification was requested, but ${latest_tag} predates" >&2 + echo "plannotator's attestation support. The first release carrying signed" >&2 + echo "build provenance is ${MIN_ATTESTED_VERSION}. Options:" >&2 + echo " - Pin to ${MIN_ATTESTED_VERSION} or later: --version ${MIN_ATTESTED_VERSION}" >&2 + echo " - Install without provenance verification: --skip-attestation" >&2 + echo " - Or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation" >&2 + echo " from ~/.plannotator/config.json" >&2 + exit 1 + fi +fi + +binary_url="https://github.com/${REPO}/releases/download/${latest_tag}/${binary_name}" +checksum_url="${binary_url}.sha256" + +mkdir -p "$INSTALL_DIR" + +tmp_file=$(mktemp) +curl -fsSL -o "$tmp_file" "$binary_url" + +expected_checksum=$(curl -fsSL "$checksum_url" | cut -d' ' -f1) + +if [ "$(uname -s)" = "Darwin" ]; then + actual_checksum=$(shasum -a 256 "$tmp_file" | cut -d' ' -f1) +else + actual_checksum=$(sha256sum "$tmp_file" | cut -d' ' -f1) +fi + +if [ "$actual_checksum" != "$expected_checksum" ]; then + echo "Checksum verification failed!" >&2 + rm -f "$tmp_file" + exit 1 +fi + if [ "$verify_attestation" -eq 1 ]; then + # $verify_attestation was resolved before the download; MIN_ATTESTED_VERSION + # pre-flight already ran and rejected old tags. At this point we know + # the tag is attested and gh should find a bundle. if command -v gh >/dev/null 2>&1; then # Capture combined output so we can surface gh's actual error message # (auth, network, missing attestation, etc.) on failure instead of a diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 8859a6df..f415fb30 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -317,6 +317,44 @@ describe("install shared behavior", () => { expect(cmdScript).not.toMatch(/%TEMP%\\plannotator-!TAG!\.exe/); }); + test("all installers hardcode MIN_ATTESTED_VERSION and guard verification against older tags", () => { + // Releases cut before this PR added `actions/attest-build-provenance` + // to release.yml have no attestations. Running `gh attestation verify` + // against them fails with "no attestations found" — a cryptic error + // that doesn't explain the user's actual problem (old version, no + // provenance support). Each installer now hardcodes a + // MIN_ATTESTED_VERSION constant and rejects verification requests + // for older tags BEFORE downloading the binary, with a clean error + // telling the user how to recover. + // + // The constant is bumped once by the release skill at the first + // attested release and then left alone as a permanent floor. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + + // install.sh + expect(sh).toContain('MIN_ATTESTED_VERSION="v0.18.0"'); + expect(sh).toContain("version_ge"); + expect(sh).toContain("predates"); + // install.ps1 + expect(ps).toContain('$minAttestedVersion = "v0.18.0"'); + expect(ps).toContain("[version]"); + expect(ps).toContain("predates"); + // install.cmd + expect(cmdScript).toContain('set "MIN_ATTESTED_VERSION=v0.18.0"'); + expect(cmdScript).toContain("powershell -NoProfile -Command"); + expect(cmdScript).toContain("predates"); + }); + + test("install.sh and help text use vX.Y.Z placeholder not v0.17.1", () => { + // Regression guard: the docs and --help text previously used v0.17.1 + // as a concrete pinned-version example. That tag predates provenance + // support, so any user copy-pasting the example and enabling + // verification would hit a hard failure. Replaced with a generic + // vX.Y.Z placeholder across all user-facing docs. + expect(sh).not.toContain("--version v0.17.1"); + expect(sh).not.toContain("bash install.sh v0.17.1"); + }); + test("install.cmd double-escapes ! in Claude Code and Gemini slash command echoes", () => { // Regression guard: under setlocal enabledelayedexpansion, preserving a // literal `!` through both cmd parser phases requires `^^!`, not `^!`. From d33385dcf5a054fb966dfeea67109671191c65bc Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 16:46:23 -0700 Subject: [PATCH 14/24] fix(install): close PS injection + move Windows pre-flight before download MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #512 review cycle 8 raised three related findings, all verified against actual code. ## Critical: PowerShell command injection in install.cmd (Finding 2) Line 228 of the previous install.cmd passed the version comparison to PowerShell by interpolating delayed-expansion variables directly into the command string between single-quoted literals: for /f "delims=" %%i in ('powershell -NoProfile -Command "try { if ([version]'!TAG_NUM!' -ge [version]'!MIN_NUM!') { 'yes' } } catch {}"') do set "VERSION_OK=%%i" The arg parser rejected leading-dash values but not quotes or semicolons, so a user passing install.cmd --version "0.18.0'; calc; '0.18.0" produced the PowerShell command try { if ([version]'0.18.0'; calc; '0.18.0' -ge [version]'0.18.0') { 'yes' } } catch {} PowerShell permits statement sequences inside `if` condition parentheses — the last value is used — so `calc` executed as a side effect during the first evaluation phase. Attacker-controlled --version from a CI/CD wrapper (PR titles, external tag sources, etc.) equals arbitrary code execution as the invoking user. Fixed by passing the version strings via environment variables ($env:TAG_NUM, $env:MIN_NUM) instead of interpolating them into the PowerShell command string. PowerShell reads $env: values as raw strings and never parses them as code. The [version] cast throws on invalid input, catch {} swallows it, VERSION_OK stays empty, and the guard rejects — safe fail with a slightly less helpful but correct error message. ## Structural: Windows pre-flight ran post-download (Findings 1 & 3) install.sh was already restructured in the previous commit to run the three-layer resolution + MIN_ATTESTED_VERSION guard BEFORE the binary download, so users hit the "predates attestation support" error without wasting bandwidth. install.ps1 and install.cmd drifted — their resolution and pre-flight blocks stayed in their original post-SHA256 positions, meaning the binary was always downloaded and SHA256-verified even when the requested tag was doomed to fail provenance verification. The "Pre-flight: reject the verification request before downloading" comments were lies copied from install.sh. This commit moves both Windows installers' resolution + pre-flight blocks upstream of the download: install.ps1: resolution + pre-flight now run immediately after `Write-Host "Installing plannotator $latestTag..."`, before $tmpFile is created or Invoke-WebRequest runs. The late gh-call block keeps only the gh attestation verify call itself. install.cmd: same restructure. The late block keeps only the where-gh check and gh invocation. The `del "!TEMP_FILE!"` calls inside the rejection branch are gone (TEMP_FILE doesn't exist yet when the guard runs). ## Tests Added two new regression guards to scripts/install.test.ts: 1. Order-aware check for all three installers: the resolution block's opening line must appear textually BEFORE the curl / Invoke-WebRequest download line. Uses indexOf to compare positions. Catches any future regression that drifts the pre-flight back after download. 2. Injection-safe pattern check for install.cmd: asserts the PowerShell command references $env:TAG_NUM / $env:MIN_NUM and does NOT interpolate !TAG_NUM! / !MIN_NUM! between single quotes in any [version] cast. 40 install tests pass (was 38). Smoke-tested install.sh with --version v0.17.1 --verify-attestation — rejects cleanly with no download, same as before. For provenance purposes, this commit was AI assisted. --- scripts/install.cmd | 93 +++++++++++++++++++++++------------------ scripts/install.ps1 | 79 ++++++++++++++++++---------------- scripts/install.test.ts | 50 ++++++++++++++++++++++ 3 files changed, 144 insertions(+), 78 deletions(-) diff --git a/scripts/install.cmd b/scripts/install.cmd index 0ae07ea1..3e51c330 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -148,6 +148,55 @@ if /i "!VERSION!"=="latest" ( echo Installing plannotator !TAG!... +REM Resolve SLSA build-provenance verification opt-in BEFORE the download so +REM we can fail fast without wasting bandwidth if the requested tag predates +REM provenance support. Precedence: CLI flag > env var > config.json > default. +set "VERIFY_ATTESTATION=0" + +REM Layer 3: config file (lowest precedence of the opt-in sources). +if exist "%USERPROFILE%\.plannotator\config.json" ( + findstr /r /c:"\"verifyAttestation\"[ ]*:[ ]*true" "%USERPROFILE%\.plannotator\config.json" >nul 2>&1 + if !ERRORLEVEL! equ 0 set "VERIFY_ATTESTATION=1" +) + +REM Layer 2: env var (overrides config file). +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="1" set "VERIFY_ATTESTATION=1" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="true" set "VERIFY_ATTESTATION=1" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="yes" set "VERIFY_ATTESTATION=1" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="0" set "VERIFY_ATTESTATION=0" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="false" set "VERIFY_ATTESTATION=0" +if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="no" set "VERIFY_ATTESTATION=0" + +REM Layer 1: CLI flag (overrides everything). +if "!VERIFY_ATTESTATION_FLAG!"=="1" set "VERIFY_ATTESTATION=1" +if "!VERIFY_ATTESTATION_FLAG!"=="0" set "VERIFY_ATTESTATION=0" + +REM Pre-flight: reject verification requests for tags older than the first +REM attested release BEFORE downloading. Critical security point: the version +REM comparison uses $env:TAG_NUM / $env:MIN_NUM instead of interpolating +REM !TAG_NUM! / !MIN_NUM! into the PowerShell command string. Interpolation +REM would let a crafted --version value break out of the single-quoted literal +REM and execute arbitrary PowerShell (e.g. --version "0.18.0'; calc; '0.18.0" +REM would run Calculator). $env: reads the raw string; PowerShell never parses +REM the value as code. [version] cast throws on invalid input, catch swallows, +REM VERSION_OK stays empty, and the guard rejects — safe fail. +if "!VERIFY_ATTESTATION!"=="1" ( + set "TAG_NUM=!TAG:v=!" + set "MIN_NUM=!MIN_ATTESTED_VERSION:v=!" + set "VERSION_OK=" + for /f "delims=" %%i in ('powershell -NoProfile -Command "try { if ([version]$env:TAG_NUM -ge [version]$env:MIN_NUM) { 'yes' } } catch {}"') do set "VERSION_OK=%%i" + if not "!VERSION_OK!"=="yes" ( + echo Provenance verification was requested, but !TAG! predates >&2 + echo plannotator's attestation support. The first release carrying >&2 + echo signed build provenance is !MIN_ATTESTED_VERSION!. Options: >&2 + echo - Pin to !MIN_ATTESTED_VERSION! or later: --version !MIN_ATTESTED_VERSION! >&2 + echo - Install without provenance verification: --skip-attestation >&2 + echo - Or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation >&2 + echo from %USERPROFILE%\.plannotator\config.json >&2 + exit /b 1 + ) +) + set "BINARY_NAME=plannotator-!PLATFORM!.exe" set "BINARY_URL=https://github.com/!REPO!/releases/download/!TAG!/!BINARY_NAME!" set "CHECKSUM_URL=!BINARY_URL!.sha256" @@ -195,48 +244,10 @@ if /i "!ACTUAL_CHECKSUM!" neq "!EXPECTED_CHECKSUM!" ( exit /b 1 ) -REM Resolve SLSA build-provenance verification opt-in. -REM Precedence: CLI flag > env var > config.json > default (off). -set "VERIFY_ATTESTATION=0" - -REM Layer 3: config file (lowest precedence of the opt-in sources). -if exist "%USERPROFILE%\.plannotator\config.json" ( - findstr /r /c:"\"verifyAttestation\"[ ]*:[ ]*true" "%USERPROFILE%\.plannotator\config.json" >nul 2>&1 - if !ERRORLEVEL! equ 0 set "VERIFY_ATTESTATION=1" -) - -REM Layer 2: env var (overrides config file). -if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="1" set "VERIFY_ATTESTATION=1" -if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="true" set "VERIFY_ATTESTATION=1" -if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="yes" set "VERIFY_ATTESTATION=1" -if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="0" set "VERIFY_ATTESTATION=0" -if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="false" set "VERIFY_ATTESTATION=0" -if /i "!PLANNOTATOR_VERIFY_ATTESTATION!"=="no" set "VERIFY_ATTESTATION=0" - -REM Layer 1: CLI flag (overrides everything). -if "!VERIFY_ATTESTATION_FLAG!"=="1" set "VERIFY_ATTESTATION=1" -if "!VERIFY_ATTESTATION_FLAG!"=="0" set "VERIFY_ATTESTATION=0" - if "!VERIFY_ATTESTATION!"=="1" ( - REM Pre-flight: reject the verification request before downloading if - REM the resolved tag predates provenance support. Uses PowerShell's - REM [version] class for proper semver comparison. Windows 10+ ships - REM powershell.exe always, so this doesn't add a runtime dependency. - set "TAG_NUM=!TAG:v=!" - set "MIN_NUM=!MIN_ATTESTED_VERSION:v=!" - set "VERSION_OK=" - for /f "delims=" %%i in ('powershell -NoProfile -Command "try { if ([version]'!TAG_NUM!' -ge [version]'!MIN_NUM!') { 'yes' } } catch {}"') do set "VERSION_OK=%%i" - if not "!VERSION_OK!"=="yes" ( - echo Provenance verification was requested, but !TAG! predates >&2 - echo plannotator's attestation support. The first release carrying >&2 - echo signed build provenance is !MIN_ATTESTED_VERSION!. Options: >&2 - echo - Pin to !MIN_ATTESTED_VERSION! or later: --version !MIN_ATTESTED_VERSION! >&2 - echo - Install without provenance verification: --skip-attestation >&2 - echo - Or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation >&2 - echo from %USERPROFILE%\.plannotator\config.json >&2 - del "!TEMP_FILE!" - exit /b 1 - ) + REM VERIFY_ATTESTATION was resolved before the download; MIN_ATTESTED_VERSION + REM pre-flight already ran and rejected older tags. At this point we know + REM the tag is attested and gh should find a bundle. where gh >nul 2>&1 if !ERRORLEVEL! equ 0 ( REM Capture combined output to a randomized temp file so gh's diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 8494cafc..a93d9d66 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -77,37 +77,9 @@ if ($Version -eq "latest") { Write-Host "Installing plannotator $latestTag..." -$binaryUrl = "https://github.com/$repo/releases/download/$latestTag/$binaryName" -$checksumUrl = "$binaryUrl.sha256" - -# Create install directory -New-Item -ItemType Directory -Force -Path $installDir | Out-Null - -$tmpFile = [System.IO.Path]::GetTempFileName() - -# Use -UseBasicParsing to avoid security prompts and ensure consistent behavior -Invoke-WebRequest -Uri $binaryUrl -OutFile $tmpFile -UseBasicParsing - -# Verify checksum -# Note: In Windows PowerShell 5.1, Invoke-WebRequest returns .Content as byte[] for non-HTML responses. -# We must handle both byte[] (PS 5.1) and string (PS 7+) for cross-version compatibility. -$checksumResponse = Invoke-WebRequest -Uri $checksumUrl -UseBasicParsing -if ($checksumResponse.Content -is [byte[]]) { - $checksumContent = [System.Text.Encoding]::UTF8.GetString($checksumResponse.Content) -} else { - $checksumContent = $checksumResponse.Content -} -$expectedChecksum = $checksumContent.Split(" ")[0].Trim().ToLower() -$actualChecksum = (Get-FileHash -Path $tmpFile -Algorithm SHA256).Hash.ToLower() - -if ($actualChecksum -ne $expectedChecksum) { - Remove-Item $tmpFile -Force - Write-Error "Checksum verification failed!" - exit 1 -} - -# Resolve SLSA build-provenance verification opt-in. -# Precedence: CLI flag > env var > ~/.plannotator/config.json > default (off). +# Resolve SLSA build-provenance verification opt-in BEFORE the download so we +# can fail fast without wasting bandwidth if the requested tag predates +# provenance support. Precedence: CLI flag > env var > config file > default. $verifyAttestationResolved = $false # Layer 3: config file (lowest precedence of the opt-in sources). @@ -140,21 +112,19 @@ if ($envVerify) { if ($VerifyAttestation) { $verifyAttestationResolved = $true } if ($SkipAttestation) { $verifyAttestationResolved = $false } +# Pre-flight: if verification is requested, reject tags older than the first +# attested release before we download anything. Uses PowerShell's [version] +# class for proper numeric comparison (lexicographic string cmp gets +# v0.9.0 vs v0.10.0 backwards). if ($verifyAttestationResolved) { - # Pre-flight: reject the verification request before downloading if the - # resolved tag predates provenance support. Uses PowerShell's [version] - # class for proper numeric comparison (unlike lexicographic string cmp - # which gets v0.9.0 vs v0.10.0 backwards). try { $resolvedVersion = [version]($latestTag -replace '^v', '') $minVersion = [version]($minAttestedVersion -replace '^v', '') } catch { - Remove-Item $tmpFile -Force Write-Error "Could not parse version tags for provenance check: latest=$latestTag min=$minAttestedVersion" exit 1 } if ($resolvedVersion -lt $minVersion) { - Remove-Item $tmpFile -Force [Console]::Error.WriteLine("Provenance verification was requested, but $latestTag predates plannotator's attestation support.") [Console]::Error.WriteLine("The first release carrying signed build provenance is $minAttestedVersion. Options:") [Console]::Error.WriteLine(" - Pin to $minAttestedVersion or later: -Version $minAttestedVersion") @@ -162,6 +132,41 @@ if ($verifyAttestationResolved) { [Console]::Error.WriteLine(" - Or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation from $configPath") exit 1 } +} + +$binaryUrl = "https://github.com/$repo/releases/download/$latestTag/$binaryName" +$checksumUrl = "$binaryUrl.sha256" + +# Create install directory +New-Item -ItemType Directory -Force -Path $installDir | Out-Null + +$tmpFile = [System.IO.Path]::GetTempFileName() + +# Use -UseBasicParsing to avoid security prompts and ensure consistent behavior +Invoke-WebRequest -Uri $binaryUrl -OutFile $tmpFile -UseBasicParsing + +# Verify checksum +# Note: In Windows PowerShell 5.1, Invoke-WebRequest returns .Content as byte[] for non-HTML responses. +# We must handle both byte[] (PS 5.1) and string (PS 7+) for cross-version compatibility. +$checksumResponse = Invoke-WebRequest -Uri $checksumUrl -UseBasicParsing +if ($checksumResponse.Content -is [byte[]]) { + $checksumContent = [System.Text.Encoding]::UTF8.GetString($checksumResponse.Content) +} else { + $checksumContent = $checksumResponse.Content +} +$expectedChecksum = $checksumContent.Split(" ")[0].Trim().ToLower() +$actualChecksum = (Get-FileHash -Path $tmpFile -Algorithm SHA256).Hash.ToLower() + +if ($actualChecksum -ne $expectedChecksum) { + Remove-Item $tmpFile -Force + Write-Error "Checksum verification failed!" + exit 1 +} + +if ($verifyAttestationResolved) { + # $verifyAttestationResolved was decided before the download and the + # MIN_ATTESTED_VERSION pre-flight already rejected older tags. At this + # point we know the tag is attested and gh should find a bundle. if (Get-Command gh -ErrorAction SilentlyContinue) { # Constrain verification to the exact tag + signing workflow — see # install.sh comment for rationale. diff --git a/scripts/install.test.ts b/scripts/install.test.ts index f415fb30..91695df2 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -317,6 +317,56 @@ describe("install shared behavior", () => { expect(cmdScript).not.toMatch(/%TEMP%\\plannotator-!TAG!\.exe/); }); + test("all installers resolve verification + pre-flight BEFORE downloading the binary", () => { + // Regression guard: earlier revisions of install.ps1 and install.cmd + // resolved the three-layer verification opt-in and ran the + // MIN_ATTESTED_VERSION pre-flight AFTER the curl download, meaning + // users hit the failure only after wasting a full binary download. + // install.sh always pre-flighted correctly; the other two drifted. + // + // This test uses indexOf to assert the resolution block appears + // textually BEFORE the download line in each installer. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + + // install.sh: resolution before curl -o + const shResolve = sh.indexOf("verify_attestation=0"); + const shDownload = sh.indexOf('curl -fsSL -o "$tmp_file"'); + expect(shResolve).toBeGreaterThan(-1); + expect(shDownload).toBeGreaterThan(-1); + expect(shResolve).toBeLessThan(shDownload); + + // install.ps1: resolution before Invoke-WebRequest -OutFile $tmpFile + const psResolve = ps.indexOf("$verifyAttestationResolved = $false"); + const psDownload = ps.indexOf("Invoke-WebRequest -Uri $binaryUrl -OutFile $tmpFile"); + expect(psResolve).toBeGreaterThan(-1); + expect(psDownload).toBeGreaterThan(-1); + expect(psResolve).toBeLessThan(psDownload); + + // install.cmd: resolution before curl -o "!TEMP_FILE!" + const cmdResolve = cmdScript.indexOf('set "VERIFY_ATTESTATION=0"'); + const cmdDownload = cmdScript.indexOf('curl -fsSL "!BINARY_URL!" -o "!TEMP_FILE!"'); + expect(cmdResolve).toBeGreaterThan(-1); + expect(cmdDownload).toBeGreaterThan(-1); + expect(cmdResolve).toBeLessThan(cmdDownload); + }); + + test("install.cmd version pre-flight uses $env: vars, not interpolated cmd vars", () => { + // Regression guard for PowerShell command injection via --version. + // Earlier revision interpolated `!TAG_NUM!` and `!MIN_NUM!` directly + // into a PowerShell -Command string between single quotes. A crafted + // --version like "0.18.0'; calc; '0.18.0" would break out of the + // literal and execute arbitrary PowerShell. Fix: pass the values via + // environment variables ($env:TAG_NUM, $env:MIN_NUM). PowerShell + // reads env var values as raw strings and never parses them as code; + // the [version] cast throws on invalid input and catch swallows it. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + expect(cmdScript).toContain("$env:TAG_NUM"); + expect(cmdScript).toContain("$env:MIN_NUM"); + // The vulnerable interpolation form must be gone. + expect(cmdScript).not.toContain("[version]'!TAG_NUM!'"); + expect(cmdScript).not.toContain("[version]'!MIN_NUM!'"); + }); + test("all installers hardcode MIN_ATTESTED_VERSION and guard verification against older tags", () => { // Releases cut before this PR added `actions/attest-build-provenance` // to release.yml have no attestations. Running `gh attestation verify` From ddac011c3ed62662a25fd84ed525c23193833d8a Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 17:04:59 -0700 Subject: [PATCH 15/24] =?UTF-8?q?fix(install):=20close=20cycle-9=20gaps=20?= =?UTF-8?q?=E2=80=94=20CI=20coverage,=20v-strip,=20prerelease=20handling?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #512 cycle 9 review surfaced three real findings, all verified. ## Finding 1 (important): Windows CI never exercised the attestation path The Windows integration job ran `install.cmd v0.17.1 --skip-attestation`, which bypasses every bit of logic this PR shipped: three-layer opt-in resolution, MIN_ATTESTED_VERSION pre-flight, $env:-based PowerShell version comparison, and the gh attestation verify call. A runtime bug in any of those paths would not be caught by CI. `--skip-attestation` was passed intentionally because v0.17.1 predates attestation support — running without it hits the pre-flight and rejects. But that's the point: the REJECTION path is a real, valid end state we can assert against. The previous test conflated "install should succeed" with "test should pass"; the fix is to assert the correct behavior for an old version. Added a new CI step that runs `install.cmd v0.17.1 --verify-attestation` via Start-Process with stderr redirection to a temp file, then asserts: - exit code != 0 (pre-flight rejected) - stderr contains "predates" (rejection came from our guard, not some other failure mode like a network error or gh missing) This exercises on a real cmd.exe: - setlocal enabledelayedexpansion parser under the guard - three-layer resolution reaching the CLI flag layer - the :~1 substring (instead of the previous :v= global substitution) - the pre-release tag detection (negative path for stable tags) - the PowerShell shell-out with $env:TAG_NUM / $env:MIN_NUM - the [version] -ge comparison returning false - the "predates" error message block Can't test the success path (valid attested release) until the first post-merge release exists. Tracked for follow-up. ## Finding 2 (nit): !TAG:v=! is a global substitution, not anchored cmd's delayed-expansion string-substitution syntax `!VAR:str=repl!` replaces every occurrence of `str` globally. For all current semver tags (vX.Y.Z) this happens to strip exactly one `v` by coincidence. A hypothetical future tag like v1.0.0-rev2 would become 1.0.0-re2, which [System.Version] can't parse, silently misclassifying the failure as "predates attestation support" (see Finding 3). install.ps1 line 121 uses `-replace '^v', ''` which is properly regex-anchored. install.cmd had no anchored equivalent. Fixed by using `!TAG:~1!` — substring from index 1 — which drops exactly the first character. Safe because TAG is guaranteed to start with `v` by the normalization step upstream (line ~141). ## Finding 3 (nit): Pre-release tags misdiagnosed on Windows [System.Version] doesn't support semver prerelease or build-metadata suffixes (e.g. v0.18.0-rc1). It throws on any `-` in the version string. The catch blocks in both Windows installers handled the throw but surfaced wrong/confusing errors: install.sh: handles prereleases correctly via `sort -V` (POSIX version sort is semver-aware) — no issue. install.ps1: caught and printed "Could not parse version tags for provenance check" — accurate but doesn't explain WHY. install.cmd: swallowed silently, VERSION_OK stayed empty, printed "predates attestation support" — actively wrong, the problem isn't the version's age. Fixed in both Windows installers by detecting `-` in the tag BEFORE attempting the [version] cast: install.ps1: `if ($latestTag -match '-')` → dedicated error install.cmd: `if not "!TAG_NUM!"=="!TAG_NUM:-=!"` (native substitution check, no subshell, no metacharacter risk) Both emit a clear "pre-release tags aren't currently supported for provenance verification on Windows" message pointing users at --skip-attestation or a stable tag. Windows has no built-in semver comparator; adopting one would require NuGet or a custom parser. Explicit rejection with honest diagnosis is the pragmatic choice. ## Tests Three new regression guards in install.test.ts: 1. `install.cmd strips leading v via substring, not global substitution` — asserts `!TAG:~1!` is present and `!TAG:v=!` is gone. 2. `both Windows installers reject pre-release tags with a dedicated error` — asserts both scripts contain the "Pre-release tags" error message and the appropriate detection pattern for their dialect. 3. The new test.yml CI step doubles as a runtime regression guard — any break in the cmd pre-flight path that no longer matches "predates" in stderr, or returns 0, fails CI. 42 install tests pass (was 40). Windows CI will now exercise the pre-flight rejection path end-to-end for the first time. For provenance purposes, this commit was AI assisted. --- .github/workflows/test.yml | 50 ++++++++++++++++++++++++++++++++++++++ scripts/install.cmd | 33 +++++++++++++++++++++++-- scripts/install.ps1 | 12 +++++++++ scripts/install.test.ts | 35 ++++++++++++++++++++++++++ 4 files changed, 128 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 80ef0011..97cc1410 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -146,6 +146,56 @@ jobs: Write-Host "✓ Gemini settings.json merge verified (issue #506 regression guard)" + - name: Attestation pre-flight rejects v0.17.1 on real cmd.exe + shell: pwsh + run: | + # Regression guard: the main feature of this PR (three-layer + # verification opt-in + MIN_ATTESTED_VERSION pre-flight + + # injection-safe $env:-based PowerShell version comparison) had + # no runtime coverage on Windows because the previous + # integration step passes --skip-attestation. + # + # We can't test the SUCCESS path (valid attested release) + # because v0.17.1 is the current latest and it predates the + # release.yml attestation step. Until the first post-merge + # release exists, the only realistic end-to-end test is the + # REJECTION path: invoke install.cmd with --verify-attestation + # against v0.17.1 and assert the pre-flight rejects with + # exit != 0 and stderr containing "predates". + # + # This exercises on a real cmd.exe: + # - setlocal enabledelayedexpansion parser under the guard + # - three-layer resolution reaching the CLI flag layer + # - the :~1 substring (instead of :v= global substitution) + # - the pre-release tag detection (negative — v0.17.1 is stable) + # - the PowerShell shell-out with $env:TAG_NUM / $env:MIN_NUM + # (injection-safe — the previous interpolation would have + # allowed arbitrary PS execution via --version) + # - the `[version] -ge` comparison returning false + # - the "predates" error message block + $stderrFile = New-TemporaryFile + $p = Start-Process -Wait -PassThru -NoNewWindow cmd ` + -ArgumentList '/c','scripts\install.cmd v0.17.1 --verify-attestation' ` + -RedirectStandardError $stderrFile.FullName + $stderr = Get-Content $stderrFile.FullName -Raw -ErrorAction SilentlyContinue + Remove-Item $stderrFile.FullName -ErrorAction SilentlyContinue + + if ($p.ExitCode -eq 0) { + throw "install.cmd v0.17.1 --verify-attestation should have been rejected by the MIN_ATTESTED_VERSION pre-flight, but exited 0. stderr: $stderr" + } + if ($stderr -notmatch 'predates') { + throw "install.cmd rejected with exit $($p.ExitCode), but not via the pre-flight guard. Expected 'predates' in stderr, got: $stderr" + } + # Additional safety: make sure the binary was NOT downloaded + # (pre-flight should run before any curl call). install.cmd + # installs to %USERPROFILE%\.local\bin\plannotator.exe — that + # path should have been left alone by the rejected invocation. + # Note: the previous Gemini-merge integration step DID install + # v0.17.1, so this only validates that this run didn't overwrite + # it with a newer (nonexistent) download. We check that the + # file we see is still the v0.17.1 binary from the earlier step. + Write-Host "✓ MIN_ATTESTED_VERSION pre-flight rejected v0.17.1 via the expected code path" + - name: Verify Claude Code slash command files contain the shell-invocation prefix shell: pwsh run: | diff --git a/scripts/install.cmd b/scripts/install.cmd index 3e51c330..d163ea36 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -181,8 +181,37 @@ REM would run Calculator). $env: reads the raw string; PowerShell never parses REM the value as code. [version] cast throws on invalid input, catch swallows, REM VERSION_OK stays empty, and the guard rejects — safe fail. if "!VERIFY_ATTESTATION!"=="1" ( - set "TAG_NUM=!TAG:v=!" - set "MIN_NUM=!MIN_ATTESTED_VERSION:v=!" + REM Strip the leading `v` via substring-from-index-1. cmd's `:str=repl` + REM substitution is GLOBAL, not anchored — `!TAG:v=!` would remove every + REM `v` in the string, not just the leading one, so a hypothetical tag + REM like `v1.0.0-rev2` would become `1.0.0-re2` and break the [version] + REM cast. TAG is guaranteed to start with `v` by the normalization step + REM above, so `:~1` (drop first char) is equivalent to stripping the + REM leading prefix. + set "TAG_NUM=!TAG:~1!" + set "MIN_NUM=!MIN_ATTESTED_VERSION:~1!" + + REM Detect pre-release / build-metadata tags (e.g. v0.18.0-rc1) BEFORE + REM handing the value to PowerShell. [System.Version] doesn't support + REM semver prerelease suffixes and would throw inside the try/catch, + REM leaving VERSION_OK empty and surfacing a misleading "predates + REM attestation support" error. install.sh handles these correctly via + REM `sort -V`; Windows doesn't have a built-in semver comparator, so + REM we reject explicitly with an accurate diagnosis instead of silently + REM misclassifying the failure. + REM + REM Uses native cmd substitution `!VAR:-=!` to check for `-` presence — + REM no subshell, no metacharacter risk. If removing `-` changes the + REM string, the original contained a `-`. + if not "!TAG_NUM!"=="!TAG_NUM:-=!" ( + echo Pre-release tags like !TAG! aren't currently supported for >&2 + echo provenance verification on Windows. [System.Version] doesn't >&2 + echo parse semver prerelease suffixes. Options: >&2 + echo - Install without provenance verification: --skip-attestation >&2 + echo - Pin to a stable release tag ^(no `-rc`, `-beta`, etc.^) >&2 + exit /b 1 + ) + set "VERSION_OK=" for /f "delims=" %%i in ('powershell -NoProfile -Command "try { if ([version]$env:TAG_NUM -ge [version]$env:MIN_NUM) { 'yes' } } catch {}"') do set "VERSION_OK=%%i" if not "!VERSION_OK!"=="yes" ( diff --git a/scripts/install.ps1 b/scripts/install.ps1 index a93d9d66..3f2fdd83 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -117,6 +117,18 @@ if ($SkipAttestation) { $verifyAttestationResolved = $false } # class for proper numeric comparison (lexicographic string cmp gets # v0.9.0 vs v0.10.0 backwards). if ($verifyAttestationResolved) { + # Pre-release and build-metadata tags (e.g. v0.18.0-rc1) are not + # supported by [System.Version] — the cast throws on any `-` suffix. + # install.sh handles these correctly via `sort -V`; Windows has no + # built-in semver comparator, so we detect and reject explicitly + # with an accurate error rather than surfacing a confusing "could + # not parse" message from the catch block below. + if ($latestTag -match '-') { + [Console]::Error.WriteLine("Pre-release tags like $latestTag aren't currently supported for provenance verification on Windows. [System.Version] doesn't parse semver prerelease suffixes. Options:") + [Console]::Error.WriteLine(" - Install without provenance verification: -SkipAttestation") + [Console]::Error.WriteLine(" - Pin to a stable release tag (no -rc, -beta, etc.)") + exit 1 + } try { $resolvedVersion = [version]($latestTag -replace '^v', '') $minVersion = [version]($minAttestedVersion -replace '^v', '') diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 91695df2..3e38335c 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -367,6 +367,41 @@ describe("install shared behavior", () => { expect(cmdScript).not.toContain("[version]'!MIN_NUM!'"); }); + test("install.cmd strips leading v via substring, not global substitution", () => { + // Regression guard: cmd's `!VAR:str=repl!` is GLOBAL, not anchored, + // so `!TAG:v=!` removes every `v` in the tag — for hypothetical + // tags with internal v's (e.g. v1.0.0-rev2 → 1.0.0-re2) this + // produces an invalid version string. Use `!TAG:~1!` (substring + // from index 1) instead, which is equivalent to stripping the + // leading `v` because TAG is guaranteed to start with `v` by the + // upstream normalization. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + expect(cmdScript).toContain('set "TAG_NUM=!TAG:~1!"'); + expect(cmdScript).toContain('set "MIN_NUM=!MIN_ATTESTED_VERSION:~1!"'); + // The global-substitution form must be gone from the pre-flight block. + expect(cmdScript).not.toContain('set "TAG_NUM=!TAG:v=!"'); + expect(cmdScript).not.toContain('set "MIN_NUM=!MIN_ATTESTED_VERSION:v=!"'); + }); + + test("both Windows installers reject pre-release tags with a dedicated error", () => { + // Regression guard: [System.Version] (used by both Windows installers + // for the pre-flight comparison) throws on semver prerelease suffixes + // like v0.18.0-rc1. Earlier revisions let the throw be swallowed by + // catch blocks and surfaced misleading diagnoses: + // install.cmd: "predates attestation support" (wrong — it's unparseable) + // install.ps1: "Could not parse version tags" (accurate but cryptic) + // Both now detect the `-` in the tag BEFORE attempting the cast and + // emit a dedicated "pre-release tags aren't currently supported" + // error that points users at --skip-attestation or a stable tag. + // install.sh handles these correctly via `sort -V` and doesn't need + // the pre-check. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + expect(cmdScript).toContain("Pre-release tags"); + expect(cmdScript).toContain('if not "!TAG_NUM!"=="!TAG_NUM:-=!"'); + expect(ps).toContain("Pre-release tags"); + expect(ps).toMatch(/\$latestTag -match '-'/); + }); + test("all installers hardcode MIN_ATTESTED_VERSION and guard verification against older tags", () => { // Releases cut before this PR added `actions/attest-build-provenance` // to release.yml have no attestations. Running `gh attestation verify` From b192d42b02bb3faf7db0700cafdee8185d677c7b Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 18:07:03 -0700 Subject: [PATCH 16/24] =?UTF-8?q?fix:=20cycle-10=20review=20=E2=80=94=20sp?= =?UTF-8?q?lit=20attest=20job,=20assert=20binary=20preservation,=20misc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #512 cycle 10 raised four findings, all verified. ## Finding 1: id-token/attestations permissions granted to build on PRs The build job in release.yml had `id-token: write` and `attestations: write` at the job level with no conditional guard. On PR triggers, those permissions were live for every build step (checkout, bun install, bun build, compile) even though the attestation step itself was gated by `if: startsWith(github.ref, 'refs/tags/')`. Narrow-but-real attack surface: a trusted contributor's malicious PR injecting code into a build step could mint an OIDC token authenticating as the repo identity. Fork PRs are automatically protected (GitHub suppresses OIDC tokens on forks), but same-repo contributor compromise is a realistic risk in a project with external contributors. Fixed by splitting attestation into its own job: build: contents: read only. Runs on all triggers. Compiles binaries and uploads them as the `binaries` artifact. No OIDC capability anywhere in the job. attest: needs: build, if: tag push only. contents: read + id-token: write + attestations: write. Downloads the binaries artifact and runs attest-build-provenance. Permissions are only live when we're actually producing an attestation — never on PR dry-runs. release: needs: attest (was: needs: build). Still tag-only. The dependency chain guarantees the attestation exists in the GitHub attestation store before the release's binaries are published, closing the race window where a user could pull the binary and gh attestation verify would fail because the bundle hadn't propagated yet. npm-publish: unchanged. Still needs: build. Still has id-token: write for `npm publish --provenance`. The reviewer flagged only the build job; npm-publish's id-token grant is scoped to that one job and is actually used by the provenance flag. ## Finding 2: CI test promised a binary-preservation check but didn't do one The `Attestation pre-flight rejects v0.17.1` step contained a multi-line comment promising to verify the rejected run didn't overwrite the previously-installed binary. No assertion code followed — just a Write-Host success line. The test claimed more than it delivered. Added actual baseline capture + comparison: - Before running the rejection test, capture the binary's SHA256 and LastWriteTime from the prior Gemini-merge step. - After the rejection, recompute both and assert they match. - Any drift throws: catches future regressions that re-introduce the post-download pre-flight pattern (the pre-flight correctly rejects but only after downloading and overwriting the file). ## Finding 3: install.ps1 dead-code comment about flag precedence Line 111 read "-SkipAttestation beats -VerifyAttestation if both passed" but the upfront mutex guard (lines 13-16) exits 1 if both flags are present. The "beats" scenario is unreachable. The comment misleads a future reader into thinking the late ordering handles the mutual exclusion and is safe to remove the early guard — which would be backwards. Replaced with a comment that explicitly notes the mutex guard at the top of the script makes the two branches mutually exclusive by construction. ## Finding 4: install.sh `cd` inside `&&` condition leaked CWD on failure The skills-install block chained `git clone ... && cd ... && git sparse-checkout set ...`. If clone succeeded but sparse-checkout failed, the short-circuit skipped the `cd -` and `rm -rf "$skills_tmp"` later ran with the shell's CWD still inside the to-be-deleted directory. On Linux/macOS this silently "works" — the inode is unlinked but the process keeps its cwd reference — so nothing visibly breaks (all downstream code uses absolute paths). But it's structurally wrong: install.ps1 and install.cmd both use Push-Location/pushd for the same logic. Restructured to run the entire clone → sparse-checkout → verify → copy sequence inside a single `(...)` subshell, with `cd`s scoped to the subshell. The parent shell's CWD is unchanged regardless of which step fails, so the subsequent `rm -rf` always runs from a stable location. Any failure in the chain short-circuits to the else branch with a clean skip message. Also merged the two `[ -d ]` / `[ ls -A ]` guards into the chain so the "apps/skills empty" case is now reported in the skip message rather than being silently suppressed. 42 install tests pass. For provenance purposes, this commit was AI assisted. --- .github/workflows/release.yml | 56 +++++++++++++++++++++++++++-------- .github/workflows/test.yml | 38 +++++++++++++++++++----- scripts/install.ps1 | 4 ++- scripts/install.sh | 38 ++++++++++++++++-------- 4 files changed, 102 insertions(+), 34 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 165b955e..efb27a82 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,10 +46,15 @@ jobs: build: needs: test runs-on: ubuntu-latest + # Build job has NO id-token / attestations permissions. Compilation + # itself doesn't need OIDC minting — those capabilities live in the + # separate `attest` job below, which only runs on tag pushes. This + # ensures PR dry-runs (which exercise `bun install` + compile) never + # have OIDC minting available, closing the narrow-but-real + # "trusted-contributor compromise lets a malicious build step mint + # a repo-identity OIDC token" attack surface. permissions: contents: read - id-token: write - attestations: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,8 +109,39 @@ jobs: bun build apps/paste-service/targets/bun.ts --compile --target=bun-windows-x64 --outfile plannotator-paste-win32-x64.exe sha256sum plannotator-paste-win32-x64.exe > plannotator-paste-win32-x64.exe.sha256 + - name: Upload artifacts + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: binaries + path: | + plannotator-* + !*.ts + + attest: + # Isolated attestation job — runs on tag pushes only and holds the + # OIDC minting + attestations-write capabilities that the build job + # used to have. Splitting this out means PR builds and non-tag pushes + # never get id-token: write granted, closing the trusted-contributor + # compromise window where a malicious build step could mint a + # repo-identity OIDC token. The attestation is produced against the + # same binaries the build job uploaded; attest-build-provenance + # publishes the signed bundle to GitHub's attestation store, so the + # release job downstream doesn't need any new artifact handling. + needs: build + if: startsWith(github.ref, 'refs/tags/') + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + attestations: write + + steps: + - name: Download binaries + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: binaries + - name: Generate SLSA build provenance attestation - if: startsWith(github.ref, 'refs/tags/') uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: | @@ -120,16 +156,12 @@ jobs: plannotator-paste-linux-arm64 plannotator-paste-win32-x64.exe - - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: binaries - path: | - plannotator-* - !*.ts - release: - needs: build + # Depends on `attest` so the signed provenance exists before the + # GitHub Release is published — otherwise there'd be a window where + # users could pull the binary and `gh attestation verify` would + # race-fail. `needs: attest` implicitly requires `build` too. + needs: attest if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 97cc1410..4aed28fe 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -173,6 +173,19 @@ jobs: # allowed arbitrary PS execution via --version) # - the `[version] -ge` comparison returning false # - the "predates" error message block + $installedBinary = "$env:USERPROFILE\.local\bin\plannotator.exe" + + # Capture the currently-installed binary's hash BEFORE running + # the rejection test. The earlier Gemini-merge integration step + # installed v0.17.1 at this path; we use the captured hash as + # a baseline so we can prove the rejected invocation left it + # untouched (no wasted download, no overwrite). + if (-not (Test-Path $installedBinary)) { + throw "Expected $installedBinary to exist from the earlier install.cmd step, but it's missing. Cannot baseline the preservation check." + } + $baselineHash = (Get-FileHash $installedBinary -Algorithm SHA256).Hash + $baselineWriteTime = (Get-Item $installedBinary).LastWriteTime + $stderrFile = New-TemporaryFile $p = Start-Process -Wait -PassThru -NoNewWindow cmd ` -ArgumentList '/c','scripts\install.cmd v0.17.1 --verify-attestation' ` @@ -186,15 +199,24 @@ jobs: if ($stderr -notmatch 'predates') { throw "install.cmd rejected with exit $($p.ExitCode), but not via the pre-flight guard. Expected 'predates' in stderr, got: $stderr" } - # Additional safety: make sure the binary was NOT downloaded - # (pre-flight should run before any curl call). install.cmd - # installs to %USERPROFILE%\.local\bin\plannotator.exe — that - # path should have been left alone by the rejected invocation. - # Note: the previous Gemini-merge integration step DID install - # v0.17.1, so this only validates that this run didn't overwrite - # it with a newer (nonexistent) download. We check that the - # file we see is still the v0.17.1 binary from the earlier step. + + # Assert the pre-flight ran BEFORE any download / install step. + # If the binary's hash or mtime changed, something downloaded + # and moved a new file into place — meaning the pre-flight + # rejection happened late (after the download step) instead + # of early (before it). Catches future regressions that re- + # introduce the post-download pre-flight pattern. + $postHash = (Get-FileHash $installedBinary -Algorithm SHA256).Hash + $postWriteTime = (Get-Item $installedBinary).LastWriteTime + if ($postHash -ne $baselineHash) { + throw "Binary at $installedBinary was overwritten during the rejected --verify-attestation run. Baseline SHA256 $baselineHash, post SHA256 $postHash. The pre-flight must run before any download." + } + if ($postWriteTime -ne $baselineWriteTime) { + throw "Binary at $installedBinary had its LastWriteTime modified during the rejected --verify-attestation run. Baseline $baselineWriteTime, post $postWriteTime." + } + Write-Host "✓ MIN_ATTESTED_VERSION pre-flight rejected v0.17.1 via the expected code path" + Write-Host "✓ Installed binary was preserved (SHA256 and LastWriteTime both unchanged)" - name: Verify Claude Code slash command files contain the shell-invocation prefix shell: pwsh diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 3f2fdd83..f8191309 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -108,7 +108,9 @@ if ($envVerify) { } } -# Layer 1: CLI flags win. -SkipAttestation beats -VerifyAttestation if both passed. +# Layer 1: CLI flags win. -VerifyAttestation and -SkipAttestation are +# mutually exclusive and already rejected together at the top of this +# script (lines ~13-16), so at most one of these branches can fire. if ($VerifyAttestation) { $verifyAttestationResolved = $true } if ($SkipAttestation) { $verifyAttestationResolved = $false } diff --git a/scripts/install.sh b/scripts/install.sh index 2ff29d4a..0e3e9a17 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -449,20 +449,32 @@ if command -v git &>/dev/null; then AGENTS_SKILLS_DIR="$HOME/.agents/skills" skills_tmp=$(mktemp -d) - if git clone --depth 1 --filter=blob:none --sparse \ - "https://github.com/${REPO}.git" --branch "$latest_tag" "$skills_tmp/repo" 2>/dev/null && \ - cd "$skills_tmp/repo" && git sparse-checkout set apps/skills 2>/dev/null; then - - if [ -d "apps/skills" ] && [ "$(ls -A apps/skills 2>/dev/null)" ]; then - mkdir -p "$CLAUDE_SKILLS_DIR" "$AGENTS_SKILLS_DIR" - cp -r apps/skills/* "$CLAUDE_SKILLS_DIR/" - cp -r apps/skills/* "$AGENTS_SKILLS_DIR/" - echo "Installed skills to ${CLAUDE_SKILLS_DIR}/ and ${AGENTS_SKILLS_DIR}/" - fi - - cd - >/dev/null + # Wrap the cd-bearing block in a subshell so any `cd` is scoped to + # the subshell and can't leave the parent script with a dangling CWD. + # Previous version chained `cd` inside an `&&` condition, and if + # sparse-checkout failed the else branch ran without restoring the + # directory — then `rm -rf "$skills_tmp"` below executed while the + # shell's CWD was still inside the directory being deleted. No + # production failure (subsequent code uses absolute paths) but + # structurally incorrect. install.ps1 and install.cmd use + # Push-Location/pushd for the same logic; a subshell is bash's + # equivalent — the parent shell's CWD is inherited in, and any + # cd inside the subshell disappears when the subshell exits. + if ( + cd "$skills_tmp" && + git clone --depth 1 --filter=blob:none --sparse \ + "https://github.com/${REPO}.git" --branch "$latest_tag" repo 2>/dev/null && + cd repo && + git sparse-checkout set apps/skills 2>/dev/null && + [ -d "apps/skills" ] && + [ "$(ls -A apps/skills 2>/dev/null)" ] && + mkdir -p "$CLAUDE_SKILLS_DIR" "$AGENTS_SKILLS_DIR" && + cp -r apps/skills/* "$CLAUDE_SKILLS_DIR/" && + cp -r apps/skills/* "$AGENTS_SKILLS_DIR/" + ); then + echo "Installed skills to ${CLAUDE_SKILLS_DIR}/ and ${AGENTS_SKILLS_DIR}/" else - echo "Skipping skills install (git sparse-checkout failed)" + echo "Skipping skills install (git sparse-checkout failed or apps/skills empty)" fi rm -rf "$skills_tmp" From b190a05d065e273e6354e9827972fa53d2c968ac Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 18:38:59 -0700 Subject: [PATCH 17/24] fix(install): set MIN_ATTESTED_VERSION to v0.17.2, remove skill bump note MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Earlier cycles hardcoded MIN_ATTESTED_VERSION="v0.18.0" across the three installers as a best-guess for the first post-merge release, and I added a one-time bump instruction to the release skill as insurance in case the guess was wrong. The guess was wrong — the next release is v0.17.2 (patch bump, not a minor bump). Updated the constant in all three installers and the matching test assertions. No other version references in the shipped error messages need changing because they read MIN_ATTESTED_VERSION from the variable at runtime. Also removed the "⚠️ One-time MIN_ATTESTED_VERSION bump" section from .agents/skills/release/SKILL.md entirely. With the constant now set to the actual next release tag, there's nothing for the release agent to bump at release time — the constant is already correct. Baking a one-time action into a recurring release skill was the wrong place for it; every future release agent would read the warning, confirm it's already set, and move on. Noise in a workflow that's supposed to be tight. If the next release version ever differs from v0.17.2 (e.g. we decide to skip to v0.18.0 or go straight to v1.0.0), the PR cutting that release will need to update MIN_ATTESTED_VERSION in the three installers. That's an ad-hoc fix, not a recurring skill concern. Smoke test with the new value: - install.sh --version v0.17.1 --verify-attestation → rejects with "first attested release is v0.17.2" - install.sh --version v0.17.2 --verify-attestation → passes pre-flight, proceeds to download (404 as expected since v0.17.2 is not yet released) 42 install tests pass. For provenance purposes, this commit was AI assisted. --- .agents/skills/release/SKILL.md | 14 -------------- scripts/install.cmd | 2 +- scripts/install.ps1 | 2 +- scripts/install.sh | 2 +- scripts/install.test.ts | 6 +++--- 5 files changed, 6 insertions(+), 20 deletions(-) diff --git a/.agents/skills/release/SKILL.md b/.agents/skills/release/SKILL.md index 1531591b..e86632d1 100644 --- a/.agents/skills/release/SKILL.md +++ b/.agents/skills/release/SKILL.md @@ -195,20 +195,6 @@ If anything is missing, fix it before proceeding to Phase 4. Common fixes: **Note on immutable releases:** The repo has GitHub Immutable Releases enabled, so once the `v*` tag is pushed and the release is created, the tag→commit and tag→asset bindings are permanent. You cannot delete and re-create a tag to "fix" a bad release — you must ship a new version. Release notes remain editable (see step 5), but everything else is locked. - **⚠️ One-time `MIN_ATTESTED_VERSION` bump — only for the first attested release (v0.18.0 expected):** - - The three installers (`scripts/install.sh`, `scripts/install.ps1`, `scripts/install.cmd`) each hardcode a `MIN_ATTESTED_VERSION` constant. This constant exists to reject `--verify-attestation` / `PLANNOTATOR_VERIFY_ATTESTATION=1` / `verifyAttestation: true` requests for any release that predates provenance support, with a clean error pointing the user at `--skip-attestation` or pinning to a newer version. Otherwise users would see a cryptic `gh attestation verify: no attestations found` error. - - Before shipping the first attested release, verify `MIN_ATTESTED_VERSION` in all three installers matches the version you're about to cut: - - ```bash - grep -n "MIN_ATTESTED_VERSION" scripts/install.sh scripts/install.ps1 scripts/install.cmd - ``` - - Expected value: the exact tag you're releasing (e.g. `v0.18.0`). If the release version is different from the currently-hardcoded value, bump it in all three files **in the same commit as the version bump** so the installers on `plannotator.ai` (served from `main`) activate the constant at the same moment the first attested release becomes fetchable. - - After the first attested release has shipped, this constant does NOT need to be bumped on subsequent releases. It is a floor, not a moving target — leave it at whatever the first attested version was. - 4. **Monitor the pipeline:** Watch the release workflow run until it completes: ```bash diff --git a/scripts/install.cmd b/scripts/install.cmd index d163ea36..e4c39ada 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -88,7 +88,7 @@ set "PLATFORM=win32-x64" REM First plannotator release that carries SLSA build-provenance attestations. REM See scripts/install.sh for the full explanation — this constant is REM bumped once at the first attested release via the release skill. -set "MIN_ATTESTED_VERSION=v0.18.0" +set "MIN_ATTESTED_VERSION=v0.17.2" REM Check for 64-bit Windows if /i "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto :arch_valid diff --git a/scripts/install.ps1 b/scripts/install.ps1 index f8191309..fd009dff 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -21,7 +21,7 @@ $installDir = "$env:LOCALAPPDATA\plannotator" # First plannotator release that carries SLSA build-provenance attestations. # See scripts/install.sh for the full explanation — this constant is bumped # once at the first attested release via the release skill. -$minAttestedVersion = "v0.18.0" +$minAttestedVersion = "v0.17.2" # Detect architecture. We don't currently ship a native ARM64 Windows # binary — the release pipeline only builds bun-windows-x64. Windows 11 diff --git a/scripts/install.sh b/scripts/install.sh index 0e3e9a17..67792e10 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -13,7 +13,7 @@ INSTALL_DIR="$HOME/.local/bin" # against this constant and fails fast with a clear message instead of # downloading a binary, running SHA256, and then hitting a cryptic gh # failure. Bumped once at the first attested release via the release skill. -MIN_ATTESTED_VERSION="v0.18.0" +MIN_ATTESTED_VERSION="v0.17.2" # Compare two vMAJOR.MINOR.PATCH tags. Returns 0 (success) if $1 >= $2. # Uses `sort -V` (version sort) which handles minor/patch width correctly diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 3e38335c..db58fe38 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -417,15 +417,15 @@ describe("install shared behavior", () => { const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); // install.sh - expect(sh).toContain('MIN_ATTESTED_VERSION="v0.18.0"'); + expect(sh).toContain('MIN_ATTESTED_VERSION="v0.17.2"'); expect(sh).toContain("version_ge"); expect(sh).toContain("predates"); // install.ps1 - expect(ps).toContain('$minAttestedVersion = "v0.18.0"'); + expect(ps).toContain('$minAttestedVersion = "v0.17.2"'); expect(ps).toContain("[version]"); expect(ps).toContain("predates"); // install.cmd - expect(cmdScript).toContain('set "MIN_ATTESTED_VERSION=v0.18.0"'); + expect(cmdScript).toContain('set "MIN_ATTESTED_VERSION=v0.17.2"'); expect(cmdScript).toContain("powershell -NoProfile -Command"); expect(cmdScript).toContain("predates"); }); From 5c5b210f5786b85ae96295738894ceeb0833d3e6 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 18:47:32 -0700 Subject: [PATCH 18/24] feat(release): ship native ARM64 Windows binaries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bun v1.3.10 (February 2025) promoted bun-windows-arm64 from preview to a stable cross-compile target, which makes native ARM64 Windows builds a 15-line change instead of a project. Adopted immediately so ARM64 Windows users get native-speed binaries instead of the x86-64 emulation tax. Earlier cycles of this PR shipped two temporary workarounds for the absence of a native ARM64 binary: - install.ps1 detected ARM64 and fell back to $arch="x64" with a Write-Host notice that the user was running via emulation. - install.cmd hardcoded PLATFORM=win32-x64 and let ARM64 hosts pass the arch check without differentiation. Both are now obsolete and have been replaced with real architecture detection that selects the native binary. ## Changes release.yml: Added `bun-windows-arm64` to the compile matrix for both apps/hook/server/index.ts and apps/paste-service/targets/bun.ts. Output files are plannotator-win32-arm64.exe and plannotator-paste-win32-arm64.exe with matching .sha256 sidecars. Upload-artifact already globs `plannotator-*` so no change there. release.yml attest step: Added the two new ARM64 binaries to subject-path so they're covered by the SLSA build provenance attestation alongside the x64 builds. Both binaries sign with the same Sigstore bundle as the rest of the matrix. install.ps1: Restored the proper ARM64 detection that the earlier fallback replaced. On 64-bit Windows, $arch is "arm64" when PROCESSOR_ARCHITECTURE equals "ARM64", otherwise "x64". The emulation-fallback Write-Host notice is gone — users now get native binaries and don't need to be told about emulation. install.cmd: Replaced the unconditional `set "PLATFORM=win32-x64"` with a set of conditional assignments keyed off PROCESSOR_ARCHITECTURE and PROCESSOR_ARCHITEW6432 (the latter covers the edge case of a 32-bit tool launching install.cmd on an ARM64 machine via WoW64). PLATFORM is left empty if neither variable indicates AMD64 or ARM64, which triggers the "does not support 32-bit Windows" error path. The :arch_valid label and its gotos are gone — the new logic is linear and doesn't need a label. install.test.ts: Updated the install.ps1 ARM64 test to assert the native arm64 branch (no more "runs via emulation" text) and added a new install.cmd test verifying both PLATFORM branches are present. 43 install tests pass (was 42). ## CI coverage caveat windows-latest is x86-64, so the Windows integration job still exercises install.cmd against the x64 binary path. ARM64 has no CI runner coverage yet — we're shipping ARM64 binaries on trust that Bun's cross-compile produces working executables. That's the same trust we extend to linux-arm64 builds (also x-compiled from an ubuntu-latest runner). GitHub Actions does offer a windows-11-arm runner that could be added later; tracked as follow-up since it has availability and pricing implications. Closes #517. For provenance purposes, this commit was AI assisted. --- .github/workflows/release.yml | 9 +++++++++ scripts/install.cmd | 28 ++++++++++++++++---------- scripts/install.ps1 | 16 ++++++--------- scripts/install.test.ts | 38 +++++++++++++++++++++-------------- 4 files changed, 55 insertions(+), 36 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index efb27a82..c2d47dee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,6 +93,10 @@ jobs: bun build apps/hook/server/index.ts --compile --target=bun-windows-x64 --outfile plannotator-win32-x64.exe sha256sum plannotator-win32-x64.exe > plannotator-win32-x64.exe.sha256 + # Windows ARM64 (native, via bun-windows-arm64 — stable since Bun v1.3.10) + bun build apps/hook/server/index.ts --compile --target=bun-windows-arm64 --outfile plannotator-win32-arm64.exe + sha256sum plannotator-win32-arm64.exe > plannotator-win32-arm64.exe.sha256 + # Paste service binaries bun build apps/paste-service/targets/bun.ts --compile --target=bun-darwin-arm64 --outfile plannotator-paste-darwin-arm64 sha256sum plannotator-paste-darwin-arm64 > plannotator-paste-darwin-arm64.sha256 @@ -109,6 +113,9 @@ jobs: bun build apps/paste-service/targets/bun.ts --compile --target=bun-windows-x64 --outfile plannotator-paste-win32-x64.exe sha256sum plannotator-paste-win32-x64.exe > plannotator-paste-win32-x64.exe.sha256 + bun build apps/paste-service/targets/bun.ts --compile --target=bun-windows-arm64 --outfile plannotator-paste-win32-arm64.exe + sha256sum plannotator-paste-win32-arm64.exe > plannotator-paste-win32-arm64.exe.sha256 + - name: Upload artifacts uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: @@ -150,11 +157,13 @@ jobs: plannotator-linux-x64 plannotator-linux-arm64 plannotator-win32-x64.exe + plannotator-win32-arm64.exe plannotator-paste-darwin-arm64 plannotator-paste-darwin-x64 plannotator-paste-linux-x64 plannotator-paste-linux-arm64 plannotator-paste-win32-x64.exe + plannotator-paste-win32-arm64.exe release: # Depends on `attest` so the signed provenance exists before the diff --git a/scripts/install.cmd b/scripts/install.cmd index e4c39ada..3a183177 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -83,23 +83,29 @@ goto parse_args set "REPO=backnotprop/plannotator" set "INSTALL_DIR=%USERPROFILE%\.local\bin" -set "PLATFORM=win32-x64" REM First plannotator release that carries SLSA build-provenance attestations. REM See scripts/install.sh for the full explanation — this constant is REM bumped once at the first attested release via the release skill. set "MIN_ATTESTED_VERSION=v0.17.2" -REM Check for 64-bit Windows -if /i "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto :arch_valid -if /i "%PROCESSOR_ARCHITECTURE%"=="ARM64" goto :arch_valid -if /i "%PROCESSOR_ARCHITEW6432%"=="AMD64" goto :arch_valid -if /i "%PROCESSOR_ARCHITEW6432%"=="ARM64" goto :arch_valid - -echo Plannotator does not support 32-bit Windows. >&2 -exit /b 1 - -:arch_valid +REM Detect architecture. Native ARM64 Windows binaries are built from +REM bun-windows-arm64 (stable since Bun v1.3.10), so ARM64 hosts get a +REM native binary — no Windows x86-64 emulation tax. PROCESSOR_ARCHITECTURE +REM reports the architecture the current cmd.exe process is running under; +REM PROCESSOR_ARCHITEW6432 is set only in 32-bit processes running via +REM WoW64 and reflects the host architecture (covers the edge case of a +REM 32-bit tool launching install.cmd on an ARM64 machine). +set "PLATFORM=" +if /i "%PROCESSOR_ARCHITECTURE%"=="AMD64" set "PLATFORM=win32-x64" +if /i "%PROCESSOR_ARCHITECTURE%"=="ARM64" set "PLATFORM=win32-arm64" +if /i "%PROCESSOR_ARCHITEW6432%"=="AMD64" set "PLATFORM=win32-x64" +if /i "%PROCESSOR_ARCHITEW6432%"=="ARM64" set "PLATFORM=win32-arm64" + +if "!PLATFORM!"=="" ( + echo Plannotator does not support 32-bit Windows. >&2 + exit /b 1 +) REM Check for curl availability curl --version >nul 2>&1 diff --git a/scripts/install.ps1 b/scripts/install.ps1 index fd009dff..928c45b3 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -23,19 +23,15 @@ $installDir = "$env:LOCALAPPDATA\plannotator" # once at the first attested release via the release skill. $minAttestedVersion = "v0.17.2" -# Detect architecture. We don't currently ship a native ARM64 Windows -# binary — the release pipeline only builds bun-windows-x64. Windows 11 -# runs x64 binaries on ARM64 via emulation, so fall back to x64 on ARM64 -# hosts rather than hard-failing with a 404 on a binary we don't publish. -# install.cmd already (accidentally) does the same thing by hardcoding -# its PLATFORM to win32-x64; this brings install.ps1 into parity so both -# Windows installer paths produce a working install on ARM64. -# Native ARM64 Windows builds tracked as a follow-up. +# Detect architecture. Native ARM64 Windows binaries are built from +# bun-windows-arm64 (stable since Bun v1.3.10), so ARM64 hosts get a +# native binary — no Windows x86-64 emulation tax. if ([Environment]::Is64BitOperatingSystem) { if ($env:PROCESSOR_ARCHITECTURE -eq "ARM64") { - Write-Host "ARM64 Windows detected — installing x64 binary (runs via Windows emulation)." + $arch = "arm64" + } else { + $arch = "x64" } - $arch = "x64" } else { Write-Error "32-bit Windows is not supported" exit 1 diff --git a/scripts/install.test.ts b/scripts/install.test.ts index db58fe38..1d005e40 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -92,23 +92,18 @@ describe("install.ps1", () => { expect(script).toContain("UTF8.GetString"); }); - test("ARM64 Windows falls back to x64 binary via Windows emulation", () => { - // We don't ship a native ARM64 Windows binary — release.yml builds - // only bun-windows-x64 — so install.ps1 must not select arm64 and - // then 404 on a non-existent binary. Instead, always set $arch=x64 - // on 64-bit Windows and print a notice when ARM64 is detected so - // users know they're running via emulation. - // - // Verify three things: - // 1. ARM64 is still detected (for the notice) - // 2. $arch is hardcoded to "x64" on 64-bit systems - // 3. The old `"arm64"` literal is not present as an $arch value + test("install.ps1 selects native arm64 binary on ARM64 Windows", () => { + // release.yml now builds bun-windows-arm64 (stable since Bun v1.3.10), + // so ARM64 hosts get a native binary instead of running the x64 build + // via Windows emulation. install.ps1 must detect PROCESSOR_ARCHITECTURE + // and set $arch accordingly so the downloaded binary matches the host. + expect(script).toContain("PROCESSOR_ARCHITECTURE"); expect(script).toContain('"ARM64"'); + expect(script).toContain('$arch = "arm64"'); expect(script).toContain('$arch = "x64"'); - expect(script).toContain("runs via Windows emulation"); - // The previous code had `{ "arm64" } else { "x64" }` — make sure the - // arm64 branch is gone so we can't regress to a 404 install. - expect(script).not.toMatch(/{\s*"arm64"\s*}/); + // The emulation-fallback workaround from earlier cycles must be gone + // now that native ARM64 binaries ship. + expect(script).not.toContain("runs via Windows emulation"); }); test("adds to PATH via environment variable", () => { @@ -164,6 +159,19 @@ describe("install.cmd", () => { expect(script).toContain("PROCESSOR_ARCHITEW6432"); // WoW64 detection }); + test("install.cmd selects platform based on PROCESSOR_ARCHITECTURE", () => { + // Earlier revisions hardcoded `set "PLATFORM=win32-x64"` regardless + // of host architecture, so ARM64 Windows machines silently received + // the x64 binary (working via emulation, but slower). Now that + // release.yml ships a native bun-windows-arm64 build, the script + // must branch on PROCESSOR_ARCHITECTURE / PROCESSOR_ARCHITEW6432 + // and set PLATFORM to win32-arm64 when appropriate. + expect(script).toContain('set "PLATFORM=win32-x64"'); + expect(script).toContain('set "PLATFORM=win32-arm64"'); + // The old unconditional hardcode must be gone. + expect(script).not.toMatch(/^set "PLATFORM=win32-x64"$/m); + }); + test("warns about duplicate hooks", () => { expect(script).toContain("DUPLICATE HOOK DETECTED"); }); From aa83a647fa549178858830af571f9f9433eb6158 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 18:50:50 -0700 Subject: [PATCH 19/24] fix(install.ps1): detect ARM64 host through WoW64 too, matching install.cmd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-review catch on top of the ARM64 support commit. My install.ps1 architecture detection only checked \$env:PROCESSOR_ARCHITECTURE, which reports the architecture the CURRENT PowerShell process is running under — not the host architecture. On ARM64 Windows, a 32-bit PowerShell process (rare, but possible) would see PROCESSOR_ARCHITECTURE=X86, miss the "ARM64" branch, fall through to \$arch = "x64", and download the emulated x64 binary instead of the new native arm64 build. install.cmd already handles this correctly via PROCESSOR_ARCHITEW6432, which is set only in 32-bit WoW64 processes and holds the host architecture. install.ps1 was the odd one out. Fixed by checking PROCESSOR_ARCHITEW6432 first and falling back to PROCESSOR_ARCHITECTURE. Now both Windows installers follow the same detection logic regardless of process bitness. Also added an explicit error branch for unrecognized architectures (anything that isn't AMD64 or ARM64) instead of silently assuming x64. Test updated to assert both env vars are referenced. For provenance purposes, this commit was AI assisted. --- scripts/install.ps1 | 27 ++++++++++++++++++++------- scripts/install.test.ts | 8 +++++++- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/scripts/install.ps1 b/scripts/install.ps1 index 928c45b3..e45f59d7 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -26,16 +26,29 @@ $minAttestedVersion = "v0.17.2" # Detect architecture. Native ARM64 Windows binaries are built from # bun-windows-arm64 (stable since Bun v1.3.10), so ARM64 hosts get a # native binary — no Windows x86-64 emulation tax. -if ([Environment]::Is64BitOperatingSystem) { - if ($env:PROCESSOR_ARCHITECTURE -eq "ARM64") { - $arch = "arm64" - } else { - $arch = "x64" - } -} else { +# +# PROCESSOR_ARCHITECTURE reports the architecture the current PowerShell +# process is running under. PROCESSOR_ARCHITEW6432 is set only in 32-bit +# processes running via WoW64 and reflects the HOST architecture. Prefer +# the latter when present so a 32-bit PowerShell on ARM64 Windows still +# selects the native arm64 binary. Matches install.cmd's detection. +if (-not [Environment]::Is64BitOperatingSystem) { Write-Error "32-bit Windows is not supported" exit 1 } +$hostArch = if ($env:PROCESSOR_ARCHITEW6432) { + $env:PROCESSOR_ARCHITEW6432 +} else { + $env:PROCESSOR_ARCHITECTURE +} +if ($hostArch -eq "ARM64") { + $arch = "arm64" +} elseif ($hostArch -eq "AMD64") { + $arch = "x64" +} else { + Write-Error "Unsupported Windows architecture: $hostArch" + exit 1 +} $platform = "win32-$arch" $binaryName = "plannotator-$platform.exe" diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 1d005e40..7dd8ddde 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -95,9 +95,15 @@ describe("install.ps1", () => { test("install.ps1 selects native arm64 binary on ARM64 Windows", () => { // release.yml now builds bun-windows-arm64 (stable since Bun v1.3.10), // so ARM64 hosts get a native binary instead of running the x64 build - // via Windows emulation. install.ps1 must detect PROCESSOR_ARCHITECTURE + // via Windows emulation. install.ps1 must detect host architecture // and set $arch accordingly so the downloaded binary matches the host. + // + // Must check BOTH PROCESSOR_ARCHITECTURE and PROCESSOR_ARCHITEW6432 — + // the latter is set only in 32-bit processes via WoW64 and reflects + // the host architecture. A 32-bit PowerShell on ARM64 Windows should + // still get the native arm64 binary. Matches install.cmd's detection. expect(script).toContain("PROCESSOR_ARCHITECTURE"); + expect(script).toContain("PROCESSOR_ARCHITEW6432"); expect(script).toContain('"ARM64"'); expect(script).toContain('$arch = "arm64"'); expect(script).toContain('$arch = "x64"'); From fdb989aff62752f269356cd0ad9cbed3a1379c34 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 19:31:22 -0700 Subject: [PATCH 20/24] =?UTF-8?q?fix(install):=20cycle-12=20review=20?= =?UTF-8?q?=E2=80=94=20consistency=20test,=20dead=20code,=20finally,=20doc?= =?UTF-8?q?s?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Four findings addressed. Two findings rejected. ## Finding 1 (nit): MIN_ATTESTED_VERSION triplicated without CI consistency Added a cross-file consistency test in install.test.ts that extracts the version literal from each of install.sh, install.ps1, install.cmd via regex and asserts all three match. A future bump that updates only one or two files now fails CI loudly. The per-file tests still exist (they check each file contains the current literal), but the new test catches drift where each file is internally consistent with itself but differs from the others. ## Finding 4 (nit): Write-Error + exit 1 dead code in install.ps1 Verified against the actual file: $ErrorActionPreference = "Stop" is set at line 8 and never modified. All six Write-Error sites are dead- end paths — five outside any try/catch, one inside a catch block (line 147) where Write-Error raises a new terminating error that propagates past the catch and exits the script with code 1 (PowerShell default). The `exit 1` lines that followed were never reachable. Dropped the six unreachable `exit 1` lines. Added a comment at the first occurrence explaining the Stop + Write-Error semantics so future maintainers don't re-add them. Behavior is unchanged at runtime — every error path still exits with code 1 via PowerShell's default unhandled-terminating-error handling. ## Finding 5 (nit): Pop-Location not in finally block Verified the reviewer's claim in install.ps1 lines 384-403. The skills install wraps git clone, Push-Location, and Copy-Item calls in a single try block, with Pop-Location on the success path. If Copy-Item throws under ErrorActionPreference=Stop, catch runs without popping, and the subsequent Remove-Item deletes a directory the PowerShell location stack still points into. A naive `finally { Pop-Location }` would introduce a new bug: Pop-Location throws on an empty stack, which happens when git clone silently fails and Push-Location is never reached. Used a nested-try pattern instead: try { git clone ... # native, no throw if (Test-Path "$skillsTmp\repo") { # guard against clone failure Push-Location "$skillsTmp\repo" try { ...operations... } finally { Pop-Location # always runs IF pushed } } } catch { Write-Host "Skipping..." } Traced all four failure modes: - clone fails silently → repo dir missing → skip inner block → no push, no pop → clean exit - clone succeeds → push succeeds → operations fail → finally pops → outer catch fires - clone + push + operations all succeed → finally pops cleanly - push itself throws (permissions) → outer catch fires, nothing to pop ## Finding 6 (P1): CMD/ps1 ARM64 breaks pinned pre-v0.17.2 tags The original plan was a runtime x64-fallback on 404, but the simpler product-level framing is: v0.17.2 is the first fully-supported version for pinning. Pre-v0.17.2 tags predate native ARM64 Windows (no win32-arm64 asset exists) and predate attestation support (pre-flight rejects). Users pinning to older tags are outside the supported matrix; the failure modes are explicit (404 / clean rejection), not silent corruption. Documented in the three install docs: - apps/marketing/.../installation.md: full "Supported versions" paragraph explaining the floor, what fails, and recovery paths - README.md: one-line note folded into the existing provenance sentence ("Version pinning, native ARM64 Windows, and SLSA provenance are supported from v0.17.2 onwards — see installation docs for details") - apps/hook/README.md: same tight one-liner pattern README.md and apps/hook/README.md stay bloat-free; the canonical explanation lives in the marketing docs. ## Findings rejected - **Finding 2 (P3, sort -V misorders prereleases):** plannotator doesn't ship prerelease tags. A user pinning to a hypothetical vX.Y.Z-rc1 would 404 at the download step before the sort -V misordering matters. Moot in practice. - **Finding 3 (important, sort -V is GNU-only):** FALSE POSITIVE. Tested on macOS 26.3.1 running sort 2.3-Apple (197) — both -V and --version-sort are supported and work correctly, including for prerelease suffixes. Apple forked BSD sort and added -V years ago. The reviewer's claim cites outdated reference material about historical BSD sort. 44 install tests pass (was 43). For provenance purposes, this commit was AI assisted. --- README.md | 2 +- apps/hook/README.md | 2 +- .../docs/getting-started/installation.md | 7 +++ scripts/install.ps1 | 52 ++++++++++++------- scripts/install.test.ts | 29 +++++++++++ 5 files changed, 70 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index a648c5ad..4b86e2a4 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ irm https://plannotator.ai/install.ps1 | iex & ([scriptblock]::Create((irm https://plannotator.ai/install.ps1))) -Version vX.Y.Z ``` -Every released binary ships with a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore. For manual verification commands and opt-in auto-verification during upgrades, see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). +Every released binary ships with a SHA256 sidecar (verified automatically on every install). Version pinning, native ARM64 Windows, and [SLSA provenance](https://slsa.dev/) are supported from v0.17.2 onwards — see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install) for details. **Then in Claude Code:** diff --git a/apps/hook/README.md b/apps/hook/README.md index 7ada58b9..c22485fc 100644 --- a/apps/hook/README.md +++ b/apps/hook/README.md @@ -32,7 +32,7 @@ REM Pin to a specific reviewed version curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --version vX.Y.Z && del install.cmd ``` -Released binaries ship with SHA256 sidecars (verified automatically on every install) and [SLSA build provenance](https://slsa.dev/) attestations signed via Sigstore. For manual verification commands and the opt-in auto-verification flags, see the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install). +Released binaries ship with SHA256 sidecars and [SLSA build provenance](https://slsa.dev/) attestations from v0.17.2 onwards. See the [installation docs](https://plannotator.ai/docs/getting-started/installation/#verifying-your-install) for the supported-version matrix and verification commands. --- diff --git a/apps/marketing/src/content/docs/getting-started/installation.md b/apps/marketing/src/content/docs/getting-started/installation.md index 9f91bd2b..be217855 100644 --- a/apps/marketing/src/content/docs/getting-started/installation.md +++ b/apps/marketing/src/content/docs/getting-started/installation.md @@ -43,6 +43,13 @@ curl -fsSL https://plannotator.ai/install.cmd -o install.cmd && install.cmd --ve The install script respects `CLAUDE_CONFIG_DIR` if set, placing hooks in your custom config directory instead of `~/.claude`. +**Supported versions:** version pinning is fully supported from **v0.17.2 onwards**. v0.17.2 is the first release to ship native ARM64 Windows binaries and SLSA build-provenance attestations; earlier tags were published before either existed. Pinning to a pre-v0.17.2 tag may work for default installs on macOS, Linux, and x64 Windows, but: + +- ARM64 Windows hosts will get a 404 (no native ARM64 binary exists in older releases). +- Provenance verification (`--verify-attestation` and friends) will be rejected by the installer's pre-flight floor. + +If you need a specific pre-v0.17.2 version, install without `--version` and `--verify-attestation` flags; otherwise, pin to v0.17.2 or later. + ### Verifying your install Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore and recorded in the public transparency log. The SHA256 check is mandatory and always runs. Provenance verification is **optional** — it's only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it. diff --git a/scripts/install.ps1 b/scripts/install.ps1 index e45f59d7..bc480c0a 100644 --- a/scripts/install.ps1 +++ b/scripts/install.ps1 @@ -33,8 +33,11 @@ $minAttestedVersion = "v0.17.2" # the latter when present so a 32-bit PowerShell on ARM64 Windows still # selects the native arm64 binary. Matches install.cmd's detection. if (-not [Environment]::Is64BitOperatingSystem) { + # Write-Error under $ErrorActionPreference = "Stop" (set at the top + # of this file) raises a terminating error that exits the process + # with code 1. No explicit `exit 1` needed here — it would be + # unreachable. Same applies to every other Write-Error in this file. Write-Error "32-bit Windows is not supported" - exit 1 } $hostArch = if ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 @@ -47,7 +50,6 @@ if ($hostArch -eq "ARM64") { $arch = "x64" } else { Write-Error "Unsupported Windows architecture: $hostArch" - exit 1 } $platform = "win32-$arch" @@ -73,7 +75,6 @@ if ($Version -eq "latest") { if (-not $latestTag) { Write-Error "Failed to fetch latest version" - exit 1 } } else { # Normalize: auto-prefix v if missing (matches install.cmd behaviour) @@ -144,8 +145,9 @@ if ($verifyAttestationResolved) { $resolvedVersion = [version]($latestTag -replace '^v', '') $minVersion = [version]($minAttestedVersion -replace '^v', '') } catch { + # Write-Error under Stop raises a new terminating error that + # propagates past this catch and exits the script with code 1. Write-Error "Could not parse version tags for provenance check: latest=$latestTag min=$minAttestedVersion" - exit 1 } if ($resolvedVersion -lt $minVersion) { [Console]::Error.WriteLine("Provenance verification was requested, but $latestTag predates plannotator's attestation support.") @@ -183,7 +185,6 @@ $actualChecksum = (Get-FileHash -Path $tmpFile -Algorithm SHA256).Hash.ToLower() if ($actualChecksum -ne $expectedChecksum) { Remove-Item $tmpFile -Force Write-Error "Checksum verification failed!" - exit 1 } if ($verifyAttestationResolved) { @@ -213,12 +214,10 @@ if ($verifyAttestationResolved) { [Console]::Error.WriteLine(($verifyOutput | Out-String).TrimEnd()) Remove-Item $tmpFile -Force Write-Error "Attestation verification failed! The binary's SHA256 matched, but no valid signed provenance was found for $repo. Refusing to install." - exit 1 } } else { Remove-Item $tmpFile -Force Write-Error "verifyAttestation is enabled but gh CLI was not found. Install https://cli.github.com (and run 'gh auth login'), or unset PLANNOTATOR_VERIFY_ATTESTATION / remove verifyAttestation from $configPath / pass -SkipAttestation." - exit 1 } } else { Write-Host "SHA256 verified. For build provenance verification, see" @@ -383,21 +382,34 @@ if (Get-Command git -ErrorAction SilentlyContinue) { try { git clone --depth 1 --filter=blob:none --sparse "https://github.com/$repo.git" --branch $latestTag "$skillsTmp\repo" 2>$null - Push-Location "$skillsTmp\repo" - git sparse-checkout set apps/skills 2>$null - - if (Test-Path "apps\skills") { - $items = Get-ChildItem "apps\skills" -ErrorAction SilentlyContinue - if ($items) { - New-Item -ItemType Directory -Force -Path $claudeSkillsDir | Out-Null - New-Item -ItemType Directory -Force -Path $agentsSkillsDir | Out-Null - Copy-Item -Recurse -Force "apps\skills\*" $claudeSkillsDir - Copy-Item -Recurse -Force "apps\skills\*" $agentsSkillsDir - Write-Host "Installed skills to $claudeSkillsDir\ and $agentsSkillsDir\" + # git is a native executable — it does not throw under + # $ErrorActionPreference=Stop on non-zero exit. Guard with + # Test-Path so we only Push-Location if the clone actually + # produced a repo directory. + if (Test-Path "$skillsTmp\repo") { + Push-Location "$skillsTmp\repo" + # Inner try/finally guarantees Pop-Location runs exactly once + # after a successful Push-Location, regardless of whether the + # copy operations below throw. The naive pattern (Pop-Location + # only on the success path) leaks the location stack if a + # PS-native cmdlet (Copy-Item etc.) throws under Stop. + try { + git sparse-checkout set apps/skills 2>$null + + if (Test-Path "apps\skills") { + $items = Get-ChildItem "apps\skills" -ErrorAction SilentlyContinue + if ($items) { + New-Item -ItemType Directory -Force -Path $claudeSkillsDir | Out-Null + New-Item -ItemType Directory -Force -Path $agentsSkillsDir | Out-Null + Copy-Item -Recurse -Force "apps\skills\*" $claudeSkillsDir + Copy-Item -Recurse -Force "apps\skills\*" $agentsSkillsDir + Write-Host "Installed skills to $claudeSkillsDir\ and $agentsSkillsDir\" + } + } + } finally { + Pop-Location } } - - Pop-Location } catch { Write-Host "Skipping skills install (git sparse-checkout failed)" } diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 7dd8ddde..54ab4f08 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -416,6 +416,35 @@ describe("install shared behavior", () => { expect(ps).toMatch(/\$latestTag -match '-'/); }); + test("all three installers hardcode the SAME MIN_ATTESTED_VERSION value", () => { + // Cross-file consistency guard: the constant is triplicated across + // install.sh, install.ps1, install.cmd with no shared source of + // truth. A future bump that updates only one or two of the three + // files would silently ship divergent behavior — each installer + // would enforce a different floor. The per-file tests below check + // that each file contains the literal "v0.17.2" individually, but + // that doesn't catch drift where all three are internally consistent + // with themselves but differ from each other (e.g., sh says v0.17.3, + // ps says v0.17.2, cmd says v0.17.3). + // + // This test extracts the value from each file via a regex anchored + // on the assignment form (not just any mention of the string) and + // asserts all three match. + const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); + const shMatch = sh.match(/MIN_ATTESTED_VERSION="(v\d+\.\d+\.\d+)"/); + const psMatch = ps.match(/\$minAttestedVersion\s*=\s*"(v\d+\.\d+\.\d+)"/); + const cmdMatch = cmdScript.match(/set "MIN_ATTESTED_VERSION=(v\d+\.\d+\.\d+)"/); + expect(shMatch, "install.sh missing MIN_ATTESTED_VERSION assignment").toBeTruthy(); + expect(psMatch, "install.ps1 missing $minAttestedVersion assignment").toBeTruthy(); + expect(cmdMatch, "install.cmd missing MIN_ATTESTED_VERSION assignment").toBeTruthy(); + const values = new Set([shMatch![1], psMatch![1], cmdMatch![1]]); + if (values.size !== 1) { + throw new Error( + `MIN_ATTESTED_VERSION drift across installers: sh=${shMatch![1]}, ps=${psMatch![1]}, cmd=${cmdMatch![1]}. All three must match.` + ); + } + }); + test("all installers hardcode MIN_ATTESTED_VERSION and guard verification against older tags", () => { // Releases cut before this PR added `actions/attest-build-provenance` // to release.yml have no attestations. Running `gh attestation verify` From e7769632401c36b549eda9a3768f69b7e10e50cf Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 19:42:50 -0700 Subject: [PATCH 21/24] test: anchor MIN_ATTESTED_VERSION consistency regexes to line start Self-review catch: the cross-file consistency test added in the prior commit matched the assignment form anywhere in each file. No current comment triggers a false positive, but a future comment like `# Example: MIN_ATTESTED_VERSION="v0.17.0"` would match first and shadow the real assignment, causing the test to report the wrong value or pass when it shouldn't. Hardened by adding /m flag and ^ anchor. The real assignments in all three installers are flush-left at the top of their files, so requiring line-start is both safe (won't reject current code) and stricter (future comments with leading whitespace or other prefixes are ignored). 44 tests still pass. For provenance purposes, this commit was AI assisted. --- scripts/install.test.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/install.test.ts b/scripts/install.test.ts index 54ab4f08..e9d0d8f4 100644 --- a/scripts/install.test.ts +++ b/scripts/install.test.ts @@ -430,10 +430,14 @@ describe("install shared behavior", () => { // This test extracts the value from each file via a regex anchored // on the assignment form (not just any mention of the string) and // asserts all three match. + // Line-anchored regexes (/m) so a future comment that happens to + // contain the assignment form doesn't false-match and shadow the + // real declaration. All three current assignments are flush-left + // at the top of their respective files. const cmdScript = readFileSync(join(scriptsDir, "install.cmd"), "utf-8"); - const shMatch = sh.match(/MIN_ATTESTED_VERSION="(v\d+\.\d+\.\d+)"/); - const psMatch = ps.match(/\$minAttestedVersion\s*=\s*"(v\d+\.\d+\.\d+)"/); - const cmdMatch = cmdScript.match(/set "MIN_ATTESTED_VERSION=(v\d+\.\d+\.\d+)"/); + const shMatch = sh.match(/^MIN_ATTESTED_VERSION="(v\d+\.\d+\.\d+)"/m); + const psMatch = ps.match(/^\$minAttestedVersion\s*=\s*"(v\d+\.\d+\.\d+)"/m); + const cmdMatch = cmdScript.match(/^set "MIN_ATTESTED_VERSION=(v\d+\.\d+\.\d+)"/m); expect(shMatch, "install.sh missing MIN_ATTESTED_VERSION assignment").toBeTruthy(); expect(psMatch, "install.ps1 missing $minAttestedVersion assignment").toBeTruthy(); expect(cmdMatch, "install.cmd missing MIN_ATTESTED_VERSION assignment").toBeTruthy(); From 7e3c8b65acc39bca3b2322d9d78c61a8aa0ffff5 Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 20:05:58 -0700 Subject: [PATCH 22/24] =?UTF-8?q?fix:=20cycle-13=20review=20=E2=80=94=20ch?= =?UTF-8?q?ecksum=20cleanup=20leak=20+=20Gemini=20CI=20coverage?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two findings addressed. Two pre-existing findings flagged but not in scope. ## Finding 3 (nit): CHECKSUM_FILE leak on download failure install.cmd's checksum download error path deleted TEMP_FILE but omitted CHECKSUM_FILE. curl -o creates the output file before it receives data, so a network failure or HTTP error leaves a 0-byte or partial file in %TEMP% that the script never cleans up. The symmetric cleanup for TEMP_FILE elsewhere in the script makes this an accidental omission, not an intentional design choice. Added `if exist "!CHECKSUM_FILE!" del "!CHECKSUM_FILE!"` inside the error block, matching the existing cleanup discipline. ## Finding 1 (nit): Windows CI readback misses Gemini .toml files The `Verify Claude Code slash command files contain the shell- invocation prefix` step in the Windows integration job verified the three `.md` files at %USERPROFILE%\.claude\commands\ but not the two `.toml` files at %USERPROFILE%\.gemini\commands\. Both sets of files use the `^^!` cmd escape pattern that this PR added, and a future regression that drops a `^` from the Gemini echoes would slip past CI even though install.test.ts catches it statically. Extended the readback step to also verify plannotator-review.toml and plannotator-annotate.toml contain the `!{plannotator ...}` invocation form. Same regression class, same guard, same runner — the earlier Gemini-merge fixture step already seeds ~/.gemini/settings.json, which causes install.cmd's Gemini block to fire and write the .toml files alongside the Claude Code ones, so no additional setup is required. ## Findings rejected (out of scope, pre-existing) - **install.cmd vs install.ps1 install location divergence:** cmd installs to %USERPROFILE%\.local\bin while ps1 installs to %LOCALAPPDATA%\plannotator. A user who switches between the two Windows installers ends up with hooks.json pointing at one location and an orphan binary at the other. Pre-existing structural divergence, requires picking a canonical location and migrating users on whichever installer changes. Out of scope for this PR. - **install.sh Gemini merge throws on user's malformed JSON:** if ~/.gemini/settings.json is invalid JSON, the embedded `node -e` call exits non-zero, set -e propagates, and the install aborts mid-run after the binary is in place but before slash commands are written. Pre-existing — the Gemini block predates this PR. Worth a follow-up but not in scope here. 44 install tests pass. For provenance purposes, this commit was AI assisted. --- .github/workflows/test.yml | 21 +++++++++++++++++++++ scripts/install.cmd | 5 +++++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4aed28fe..d319f940 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -233,6 +233,7 @@ jobs: # single-quoted heredocs / here-strings. This step checks that # install.cmd now matches (via `echo ^!`) and catches future # regressions of the same class. + # Claude Code slash commands — `.md` files with `!`\`plannotator ...\`` invocation syntax $cmdDir = "$env:USERPROFILE\.claude\commands" foreach ($file in @("plannotator-review.md", "plannotator-annotate.md", "plannotator-last.md")) { $path = Join-Path $cmdDir $file @@ -246,6 +247,26 @@ jobs: } Write-Host "✓ All three Claude Code slash command files contain the '!' prefix" + # Gemini slash commands — `.toml` files with `!{plannotator ...}` invocation syntax. + # Same `^^!` cmd-escape class as the Claude Code files. The earlier integration + # step seeded `~/.gemini/settings.json`, so install.cmd's Gemini block fired and + # wrote these two files alongside the Claude Code ones. They use a different + # invocation form (`!{...}` instead of `!\`...\``) but the regression risk is + # identical — a future revision that drops a `^` from the echo would silently + # produce broken Gemini commands. + $geminiDir = "$env:USERPROFILE\.gemini\commands" + foreach ($file in @("plannotator-review.toml", "plannotator-annotate.toml")) { + $path = Join-Path $geminiDir $file + if (-not (Test-Path $path)) { + throw "Expected Gemini command file missing: $path" + } + $content = Get-Content $path -Raw + if ($content -notmatch '!\{plannotator') { + throw "Gemini command file $file is missing the '!' shell-invocation prefix. Content: $content" + } + } + Write-Host "✓ Both Gemini slash command files contain the '!' prefix" + - name: Unknown flag is rejected with non-zero exit shell: pwsh run: | diff --git a/scripts/install.cmd b/scripts/install.cmd index 3a183177..f46cc364 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -255,6 +255,11 @@ set "CHECKSUM_FILE=%TEMP%\plannotator-checksum-%RANDOM%.txt" curl -fsSL "!CHECKSUM_URL!" -o "!CHECKSUM_FILE!" if !ERRORLEVEL! neq 0 ( echo Failed to download checksum >&2 + REM curl -o creates the output file before receiving data, so a + REM network failure or HTTP error leaves a 0-byte/partial file + REM at CHECKSUM_FILE. Clean it up to match the discipline used + REM for TEMP_FILE elsewhere in this script. + if exist "!CHECKSUM_FILE!" del "!CHECKSUM_FILE!" del "!TEMP_FILE!" exit /b 1 ) From 5fca00e6ee996230e63919cd2021cd0838b9554a Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 20:17:50 -0700 Subject: [PATCH 23/24] docs: update stale v0.17.1 references in script comments to vX.Y.Z MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two cosmetic comment fixes flagged during the cycle-13 self-review. The user-facing examples and docs were updated to vX.Y.Z in cycle 5, but two inline code comments still referenced the old concrete version: - scripts/install.sh:129 — "Positional form: install.sh v0.17.1 (matches install.cmd interface)" - scripts/install.cmd:71 — "Positional form: install.cmd v0.17.1 (legacy interface)" Both updated to vX.Y.Z so the in-code comments match the rest of the documentation. No behavior change. 44 install tests pass. For provenance purposes, this commit was AI assisted. --- scripts/install.cmd | 2 +- scripts/install.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install.cmd b/scripts/install.cmd index f46cc364..052eea4f 100644 --- a/scripts/install.cmd +++ b/scripts/install.cmd @@ -68,7 +68,7 @@ if "!CURRENT_ARG:~0,1!"=="-" ( echo Usage: install.cmd [--version ^] [--verify-attestation ^| --skip-attestation] >&2 exit /b 1 ) -REM Positional form: install.cmd v0.17.1 (legacy interface). +REM Positional form: install.cmd vX.Y.Z (legacy interface). REM Reject if --version was already passed — silent overwrite is worse REM than a clean usage error. if "!VERSION_EXPLICIT!"=="1" ( diff --git a/scripts/install.sh b/scripts/install.sh index 67792e10..6d02bcd8 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -126,7 +126,7 @@ while [ $# -gt 0 ]; do exit 1 ;; *) - # Positional form: install.sh v0.17.1 (matches install.cmd interface). + # Positional form: install.sh vX.Y.Z (matches install.cmd interface). # Reject if --version was already passed — silent overwrite is worse # than a clean usage error. if [ "$VERSION_EXPLICIT" -eq 1 ]; then From b783fcd0a4d366b0aa102cbcf6f4fa242753ed6f Mon Sep 17 00:00:00 2001 From: Michael Ramos Date: Tue, 7 Apr 2026 20:32:28 -0700 Subject: [PATCH 24/24] docs(skill): update release skill platform/binary counts for ARM64 Windows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two stale references in .agents/skills/release/SKILL.md after the ARM64 Windows binaries were added: - "5 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64)" → "6 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64/ARM64)" - "Compiles paste service binaries (same 5 platforms)" → "Compiles paste service binaries (same 6 platforms)" - "Generates SLSA build provenance attestations for all 10 binaries" → "Generates SLSA build provenance attestations for all 12 binaries" The first two predate this PR; the third was added in the cycle-1 commit and not bumped when the ARM64 Windows targets landed in the ARM64 commit. All three corrected together so the release agent sees an internally-consistent description of what the pipeline actually does. Verified against release.yml — 12 entries in the attest job's subject-path list, 12 compile commands in the build job, all six platforms (macOS arm64/x64, Linux x64/arm64, Windows x64/arm64) for both plannotator and paste-service. For provenance purposes, this commit was AI assisted. --- .agents/skills/release/SKILL.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.agents/skills/release/SKILL.md b/.agents/skills/release/SKILL.md index e86632d1..6e3e540d 100644 --- a/.agents/skills/release/SKILL.md +++ b/.agents/skills/release/SKILL.md @@ -187,9 +187,9 @@ If anything is missing, fix it before proceeding to Phase 4. Common fixes: 3. **The pipeline handles everything else:** - Runs tests - - Cross-compiles binaries for 5 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64) - - Compiles paste service binaries (same 5 platforms) - - Generates SLSA build provenance attestations for all 10 binaries via `actions/attest-build-provenance` (signed through Sigstore, recorded in Rekor) + - Cross-compiles binaries for 6 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64/ARM64) + - Compiles paste service binaries (same 6 platforms) + - Generates SLSA build provenance attestations for all 12 binaries via `actions/attest-build-provenance` (signed through Sigstore, recorded in Rekor) - Creates the GitHub Release with all binaries attached - Publishes `@plannotator/opencode` and `@plannotator/pi-extension` to npm with provenance