Harden installer verification and route traces/task ingestion via base tool

nikivdev · nikivdev · commit 531d9159334f · 2026-02-07T18:07:03.000+02:00
diff --git a/install.sh b/install.sh
@@ -4,6 +4,10 @@ set -eu
 # Flow CLI installer
 # Usage: curl -fsSL https://myflow.sh/install.sh | sh
 
+# Security posture:
+# - We require SHA-256 verification by default.
+# - Set FLOW_INSTALL_INSECURE=1 (or true/yes) to bypass verification.
+
 #region logging
 if [ "${FLOW_DEBUG-}" = "true" ] || [ "${FLOW_DEBUG-}" = "1" ]; then
   debug() { echo "$@" >&2; }
@@ -21,6 +25,13 @@ error() {
   echo "error: $@" >&2
   exit 1
 }
+
+is_truthy() {
+  case "${1:-}" in
+    1|true|TRUE|yes|YES|y|Y) return 0 ;;
+    *) return 1 ;;
+  esac
+}
 #endregion
 
 #region platform detection
@@ -94,6 +105,9 @@ validate_repo() {
 
 validate_token() {
   token="$1"
+  if [ -z "${token:-}" ]; then
+    error "GitHub token is empty"
+  fi
   case "$token" in
     *[!A-Za-z0-9._-]*)
       error "invalid GitHub token characters (refusing to use it)"
@@ -122,9 +136,9 @@ download_file() {
   if command -v curl >/dev/null 2>&1; then
     debug ">" curl -fsSL -o "$file" "$url"
     if [ "${FLOW_DEBUG-}" = "true" ] || [ "${FLOW_DEBUG-}" = "1" ]; then
-      curl -fsSL -o "$file" "$url"
+      curl -fsSL --proto '=https' --tlsv1.2 -o "$file" "$url"
     else
-      curl -fsSL -o "$file" "$url" 2>/dev/null
+      curl -fsSL --proto '=https' --tlsv1.2 -o "$file" "$url" 2>/dev/null
     fi
   elif command -v wget >/dev/null 2>&1; then
     debug ">" wget -qO "$file" "$url"
@@ -142,13 +156,13 @@ fetch_url() {
         token="${GITHUB_TOKEN:-${GH_TOKEN:-${FLOW_GITHUB_TOKEN:-}}}"
         if [ -n "${token:-}" ]; then
           validate_token "$token"
-          curl -fsSL -H "Authorization: Bearer $token" "$url"
+          curl -fsSL --proto '=https' --tlsv1.2 -H "Authorization: Bearer ${token}" "$url"
         else
-          curl -fsSL "$url"
+          curl -fsSL --proto '=https' --tlsv1.2 "$url"
         fi
         ;;
       *)
-        curl -fsSL "$url"
+        curl -fsSL --proto '=https' --tlsv1.2 "$url"
         ;;
     esac
   elif command -v wget >/dev/null 2>&1; then
@@ -238,6 +252,7 @@ install_flow() {
 
   download_dir="$(mktemp -d)"
   tarball="$download_dir/flow.tar.gz"
+  download_source="unknown"
 
   asset_file="flow-${target}.tar.gz"
   legacy_os="$os"
@@ -255,12 +270,15 @@ install_flow() {
   info "flow: downloading..."
   if command -v curl >/dev/null 2>&1 && curl -fsSL -o "$tarball" "$cdn_url" 2>/dev/null; then
     debug "flow: downloaded from CDN"
+    download_source="cdn"
   else
     debug "flow: trying GitHub..."
     if download_file "$github_url" "$tarball"; then
       asset_file="flow-${target}.tar.gz"
+      download_source="github"
     elif download_file "$legacy_url" "$tarball"; then
       asset_file="$legacy_file"
+      download_source="legacy"
     else
       error "download failed"
     fi
@@ -278,6 +296,17 @@ install_flow() {
         expected="$(get_checksum_for_file "$version" "$legacy_file" 2>/dev/null)" || true
       fi
     fi
+    if [ -z "${expected:-}" ]; then
+      if is_truthy "${FLOW_INSTALL_INSECURE-}"; then
+        info "flow: warning: checksum not verified (FLOW_INSTALL_INSECURE=1)"
+      elif [ "${download_source:-}" = "cdn" ]; then
+        rm -rf "$download_dir" "$extract_dir" 2>/dev/null || true
+        error "checksum verification failed for CDN download (checksums.txt missing or entry not found). Refusing to install.\nSet FLOW_INSTALL_INSECURE=1 to bypass (not recommended)."
+      else
+        info "flow: warning: checksum not verified (checksums.txt missing or entry not found; legacy release?)"
+        expected=""
+      fi
+    fi
     if [ -n "${expected:-}" ]; then
       debug "flow: verifying checksum..."
       actual="$($shasum "$tarball" | awk '{print $1}')"
@@ -286,8 +315,12 @@ install_flow() {
         error "checksum mismatch"
       fi
       info "flow: checksum verified"
+    fi
+  else
+    if is_truthy "${FLOW_INSTALL_INSECURE-}"; then
+      info "flow: warning: sha256 tool not found, skipping checksum verification (FLOW_INSTALL_INSECURE=1)"
     else
-      info "flow: warning: checksum not verified (checksums.txt missing or entry not found)"
+      error "sha256 tool not found (need shasum or sha256sum). Refusing to install.\nSet FLOW_INSTALL_INSECURE=1 to bypass (not recommended)."
     fi
   fi
 
diff --git a/readme.md b/readme.md
@@ -14,6 +14,10 @@ curl -fsSL https://raw.githubusercontent.com/nikivdev/flow/main/install.sh | sh
 
 Then run `f --version` and `f doctor`.
 
+The installer verifies SHA-256 checksums when available. If you are installing a legacy release
+that doesn't ship `checksums.txt`, it will warn and continue (GitHub download only). To bypass
+verification explicitly (not recommended), set `FLOW_INSTALL_INSECURE=1`.
+
 ## Upgrade
 
 Upgrade to the latest release:
@@ -39,6 +43,9 @@ If you fork Flow (or publish releases under a different repo), set:
 - `FLOW_UPGRADE_REPO=owner/repo`
 - `FLOW_GITHUB_TOKEN` (or `GITHUB_TOKEN` / `GH_TOKEN`) to avoid GitHub API rate limits
 
+If you are upgrading to a very old tag that doesn't ship `checksums.txt`, you can force bypassing
+checksum verification with `FLOW_UPGRADE_INSECURE=1` (not recommended).
+
 ## Supported Platforms
 
 Release artifacts are built for:
@@ -63,6 +70,9 @@ f release signing store --p12 /path/to/cert.p12 --p12-password '...' --identity
 f release signing sync
 ```
 
+Note: Apple provides a `.cer` download, but CI signing needs a `.p12` that includes the private key.
+Export the "Developer ID Application: ..." identity as `.p12` from Keychain Access.
+
 Notarization is optional for a CLI distributed via `curl | sh` (downloads via `curl`
 typically do not set the quarantine attribute), but can be added later if desired.
 
diff --git a/src/base_tool.rs b/src/base_tool.rs
@@ -0,0 +1,59 @@
+use std::path::{Path, PathBuf};
+use std::process::{Command, Stdio};
+
+use anyhow::{Context, Result};
+
+pub fn resolve_bin() -> Option<PathBuf> {
+    if let Ok(value) = std::env::var("FLOW_BASE_BIN") {
+        let trimmed = value.trim();
+        if !trimmed.is_empty() {
+            return Some(PathBuf::from(trimmed));
+        }
+    }
+
+    // Prefer a more specific name, but fall back to the current base repo binary name.
+    for name in ["base", "db"] {
+        if let Ok(path) = which::which(name) {
+            return Some(path);
+        }
+    }
+
+    None
+}
+
+pub fn run_inherit_stdio(bin: &Path, args: &[String]) -> Result<()> {
+    let status = Command::new(bin)
+        .args(args)
+        .stdin(Stdio::inherit())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .with_context(|| format!("failed to run {} {}", bin.display(), args.join(" ")))?;
+    if !status.success() {
+        anyhow::bail!("{} exited with {}", bin.display(), status);
+    }
+    Ok(())
+}
+
+pub fn run_with_stdin(bin: &Path, args: &[String], stdin: &str) -> Result<()> {
+    let mut child = Command::new(bin)
+        .args(args)
+        .stdin(Stdio::piped())
+        .stdout(Stdio::null())
+        .stderr(Stdio::inherit())
+        .spawn()
+        .with_context(|| format!("failed to spawn {} {}", bin.display(), args.join(" ")))?;
+
+    {
+        use std::io::Write;
+        let child_stdin = child.stdin.as_mut().context("failed to open stdin")?;
+        child_stdin.write_all(stdin.as_bytes())?;
+    }
+
+    let status = child.wait()?;
+    if !status.success() {
+        anyhow::bail!("{} exited with {}", bin.display(), status);
+    }
+    Ok(())
+}
+
diff --git a/src/jazz_state_stub.rs b/src/jazz_state_stub.rs
@@ -1,8 +1,20 @@
 use anyhow::Result;
 
 use crate::history::InvocationRecord;
+use crate::base_tool;
 
-pub fn record_task_run(_record: &InvocationRecord) -> Result<()> {
+pub fn record_task_run(record: &InvocationRecord) -> Result<()> {
+    // Best-effort: never fail the parent task run if base isn't installed or errors out.
+    let Some(bin) = base_tool::resolve_bin() else {
+        return Ok(());
+    };
+
+    let Ok(payload) = serde_json::to_string(record) else {
+        return Ok(());
+    };
+
+    let args: Vec<String> = vec!["ingest".to_string(), "task-run".to_string()];
+    let _ = base_tool::run_with_stdin(&bin, &args, &payload);
     Ok(())
 }
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -6,6 +6,7 @@ pub mod ai_server;
 pub mod archive;
 pub mod ask;
 pub mod auth;
+pub mod base_tool;
 pub mod changes;
 pub mod cli;
 pub mod code;
diff --git a/src/traces_stub.rs b/src/traces_stub.rs
@@ -1,15 +1,48 @@
-use anyhow::Result;
+use anyhow::{Result, bail};
 
 use crate::cli::{TraceSessionOpts, TraceSource, TracesOpts};
+use crate::base_tool;
 
-pub fn run(_opts: TracesOpts) -> Result<()> {
-    println!("traces disabled (flow built without jazz2 support)");
-    Ok(())
+pub fn run(opts: TracesOpts) -> Result<()> {
+    let Some(bin) = base_tool::resolve_bin() else {
+        bail!(
+            "traces require the base tool (FLOW_BASE_BIN).\n\
+             Install it, then retry.\n\
+             (Expected `base` or `db` on PATH, or set FLOW_BASE_BIN=/path/to/base)"
+        );
+    };
+
+    let mut args: Vec<String> = vec!["trace".to_string(), "--limit".to_string(), opts.limit.to_string()];
+    if opts.follow {
+        args.push("--follow".to_string());
+    }
+    if let Some(project) = opts.project.as_deref().map(|s| s.trim()).filter(|s| !s.is_empty()) {
+        args.push("--project".to_string());
+        args.push(project.to_string());
+    }
+    args.push("--source".to_string());
+    args.push(match opts.source {
+        TraceSource::All => "all",
+        TraceSource::Tasks => "tasks",
+        TraceSource::Ai => "ai",
+    }.to_string());
+
+    base_tool::run_inherit_stdio(&bin, &args)
 }
 
 pub fn run_session(_opts: TraceSessionOpts) -> Result<()> {
-    println!("traces disabled (flow built without jazz2 support)");
-    Ok(())
+    let Some(bin) = base_tool::resolve_bin() else {
+        bail!(
+            "trace session requires the base tool (FLOW_BASE_BIN).\n\
+             Install it, then retry.\n\
+             (Expected `base` or `db` on PATH, or set FLOW_BASE_BIN=/path/to/base)"
+        );
+    };
+
+    // Keep behavior compatible with Flow's old implementation: always show full session history.
+    let mut args: Vec<String> = vec!["session".to_string()];
+    args.push(_opts.path.display().to_string());
+    base_tool::run_inherit_stdio(&bin, &args)
 }
 
 pub fn trace_source_from_str(_value: &str) -> TraceSource {
diff --git a/src/upgrade.rs b/src/upgrade.rs
@@ -21,6 +21,17 @@ use crate::cli::UpgradeOpts;
 
 const UPGRADE_CHECK_INTERVAL_HOURS: u64 = 24;
 
+fn env_truthy(key: &str) -> bool {
+    match env::var(key)
+        .ok()
+        .map(|v| v.trim().to_ascii_lowercase())
+        .as_deref()
+    {
+        Some("1") | Some("true") | Some("yes") | Some("y") => true,
+        _ => false,
+    }
+}
+
 fn upgrade_repo() -> Result<(String, String)> {
     if let Ok(value) = env::var("FLOW_UPGRADE_REPO") {
         if let Some((owner, repo)) = value.trim().split_once('/') {
@@ -602,11 +613,13 @@ pub fn run(opts: UpgradeOpts) -> Result<()> {
     let temp_tarball = env::temp_dir().join("flow_upgrade.tar.gz");
     download_with_progress(&client, &tarball_asset.browser_download_url, &temp_tarball)?;
 
+    let insecure = env_truthy("FLOW_UPGRADE_INSECURE");
     if let Some(asset) = checksums_asset {
         let temp_checksums = env::temp_dir().join("flow_upgrade_checksums.txt");
         download_with_progress(&client, &asset.browser_download_url, &temp_checksums)?;
         let checksums = fs::read_to_string(&temp_checksums)
             .context("failed to read downloaded checksums.txt")?;
+
         if let Some(expected) = parse_sha256_from_checksums(&checksums, &tarball_asset.name) {
             let actual = sha256_file(&temp_tarball)?;
             if expected.to_lowercase() != actual.to_lowercase() {
@@ -618,15 +631,26 @@ pub fn run(opts: UpgradeOpts) -> Result<()> {
                 );
             }
             println!("Checksum verified.");
+        } else if insecure {
+            eprintln!(
+                "Warning: checksums.txt does not contain {}; skipping checksum verification (FLOW_UPGRADE_INSECURE=1).",
+                tarball_asset.name
+            );
         } else {
-            println!(
-                "Warning: checksums.txt does not contain {}; skipping checksum verification.",
+            bail!(
+                "checksums.txt does not contain {}. Refusing to install.\n\
+                 Set FLOW_UPGRADE_INSECURE=1 to bypass (not recommended).",
                 tarball_asset.name
             );
         }
         let _ = fs::remove_file(&temp_checksums);
+    } else if insecure {
+        eprintln!(
+            "Warning: checksums.txt not found in release assets; skipping checksum verification (FLOW_UPGRADE_INSECURE=1)."
+        );
     } else {
-        println!(
+        // Back-compat for older releases (e.g. v0.1.0) that don't ship checksums.txt.
+        eprintln!(
             "Warning: checksums.txt not found in release assets; skipping checksum verification."
         );
     }
