From e4d56b831f2ee83c20dc52b010ded1a669268f94 Mon Sep 17 00:00:00 2001 From: Jake Date: Thu, 14 May 2026 06:41:53 +0100 Subject: [PATCH] =?UTF-8?q?agent:=20lumotia=20=E2=80=94=20supply-chain=20p?= =?UTF-8?q?re-flight=20(npm=20audit=20signatures=20+=20install=20disciplin?= =?UTF-8?q?e)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds defence-in-depth against npm-worm attacks (Shai-Hulud / mini-Shai-Hulud). - run.sh: gates dev launch on `npm audit signatures` whenever package-lock.json is newer than .lumotia-last-audit. Fails loud on signature mismatch. Skip with LUMOTIA_SKIP_AUDIT=1 for offline dev. - README: documents `npm ci --ignore-scripts` as the install discipline (blocks the postinstall vector worms exploit) and explains the audit hook. - .gitignore: excludes the per-clone audit stamp. Lumotia's current tree (192 packages) cross-references clean against the mini-Shai-Hulud affected-package list — this is preventive, not remedial. --- .gitignore | 1 + README.md | 10 ++++++++++ run.sh | 15 +++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/.gitignore b/.gitignore index 40d9f1e..82c1f40 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ dist/ .firecrawl/ .worktrees/ .cargo/ +.lumotia-last-audit diff --git a/README.md b/README.md index 15af4e6..bedf036 100644 --- a/README.md +++ b/README.md @@ -269,6 +269,16 @@ choco install cmake llvm vulkan-sdk See [`docs/dev-setup.md`](docs/dev-setup.md) for the authoritative per-platform dependency list and for how `LIBCLANG_PATH` should be set. +### Installing npm dependencies + +Use `npm ci --ignore-scripts` rather than bare `npm install`. `--ignore-scripts` blocks the postinstall script vector that npm-worm attacks (Shai-Hulud, mini-Shai-Hulud) rely on. `ci` installs strictly from `package-lock.json`, refusing to mutate the lockfile silently. + +```bash +npm ci --ignore-scripts +``` + +`run.sh` runs `npm audit signatures` automatically whenever `package-lock.json` is newer than the last successful audit, and refuses to launch on signature mismatch. Skip with `LUMOTIA_SKIP_AUDIT=1` for offline dev. + ### Dev launch Canonical full-stack dev launch — starts Vite, waits for port 1420, then launches Tauri: diff --git a/run.sh b/run.sh index d26def6..33662aa 100755 --- a/run.sh +++ b/run.sh @@ -20,6 +20,21 @@ case "$(uname -s)" in ;; esac +# Supply-chain pre-flight. Verify npm registry signatures whenever the +# lockfile has changed since the last successful audit. Skip with +# LUMOTIA_SKIP_AUDIT=1 (e.g. offline dev). Fails loud on signature mismatch. +audit_stamp=".lumotia-last-audit" +if [ "${LUMOTIA_SKIP_AUDIT:-0}" != "1" ]; then + if [ ! -f "$audit_stamp" ] || [ "package-lock.json" -nt "$audit_stamp" ]; then + printf 'Lockfile changed since last audit. Verifying npm signatures...\n' >&2 + if ! npm audit signatures; then + printf 'npm audit signatures FAILED. Possible supply-chain compromise. Investigate before launching. Override: LUMOTIA_SKIP_AUDIT=1\n' >&2 + exit 1 + fi + touch "$audit_stamp" + fi +fi + printf 'Starting Vite dev server...\n' >&2 npm run dev:frontend & VITE_PID=$!