agent: lumotia — supply-chain pre-flight (npm audit signatures + install discipline)
Adds defence-in-depth against npm-worm attacks (Shai-Hulud / mini-Shai-Hulud). - run.sh: gates dev launch on `npm audit signatures` whenever package-lock.json is newer than .lumotia-last-audit. Fails loud on signature mismatch. Skip with LUMOTIA_SKIP_AUDIT=1 for offline dev. - README: documents `npm ci --ignore-scripts` as the install discipline (blocks the postinstall vector worms exploit) and explains the audit hook. - .gitignore: excludes the per-clone audit stamp. Lumotia's current tree (192 packages) cross-references clean against the mini-Shai-Hulud affected-package list — this is preventive, not remedial.
This commit is contained in:
1
.gitignore
vendored
1
.gitignore
vendored
@@ -6,3 +6,4 @@ dist/
|
|||||||
.firecrawl/
|
.firecrawl/
|
||||||
.worktrees/
|
.worktrees/
|
||||||
.cargo/
|
.cargo/
|
||||||
|
.lumotia-last-audit
|
||||||
|
|||||||
10
README.md
10
README.md
@@ -269,6 +269,16 @@ choco install cmake llvm vulkan-sdk
|
|||||||
|
|
||||||
See [`docs/dev-setup.md`](docs/dev-setup.md) for the authoritative per-platform dependency list and for how `LIBCLANG_PATH` should be set.
|
See [`docs/dev-setup.md`](docs/dev-setup.md) for the authoritative per-platform dependency list and for how `LIBCLANG_PATH` should be set.
|
||||||
|
|
||||||
|
### Installing npm dependencies
|
||||||
|
|
||||||
|
Use `npm ci --ignore-scripts` rather than bare `npm install`. `--ignore-scripts` blocks the postinstall script vector that npm-worm attacks (Shai-Hulud, mini-Shai-Hulud) rely on. `ci` installs strictly from `package-lock.json`, refusing to mutate the lockfile silently.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
npm ci --ignore-scripts
|
||||||
|
```
|
||||||
|
|
||||||
|
`run.sh` runs `npm audit signatures` automatically whenever `package-lock.json` is newer than the last successful audit, and refuses to launch on signature mismatch. Skip with `LUMOTIA_SKIP_AUDIT=1` for offline dev.
|
||||||
|
|
||||||
### Dev launch
|
### Dev launch
|
||||||
|
|
||||||
Canonical full-stack dev launch — starts Vite, waits for port 1420, then launches Tauri:
|
Canonical full-stack dev launch — starts Vite, waits for port 1420, then launches Tauri:
|
||||||
|
|||||||
15
run.sh
15
run.sh
@@ -20,6 +20,21 @@ case "$(uname -s)" in
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
# Supply-chain pre-flight. Verify npm registry signatures whenever the
|
||||||
|
# lockfile has changed since the last successful audit. Skip with
|
||||||
|
# LUMOTIA_SKIP_AUDIT=1 (e.g. offline dev). Fails loud on signature mismatch.
|
||||||
|
audit_stamp=".lumotia-last-audit"
|
||||||
|
if [ "${LUMOTIA_SKIP_AUDIT:-0}" != "1" ]; then
|
||||||
|
if [ ! -f "$audit_stamp" ] || [ "package-lock.json" -nt "$audit_stamp" ]; then
|
||||||
|
printf 'Lockfile changed since last audit. Verifying npm signatures...\n' >&2
|
||||||
|
if ! npm audit signatures; then
|
||||||
|
printf 'npm audit signatures FAILED. Possible supply-chain compromise. Investigate before launching. Override: LUMOTIA_SKIP_AUDIT=1\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
touch "$audit_stamp"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
printf 'Starting Vite dev server...\n' >&2
|
printf 'Starting Vite dev server...\n' >&2
|
||||||
npm run dev:frontend &
|
npm run dev:frontend &
|
||||||
VITE_PID=$!
|
VITE_PID=$!
|
||||||
|
|||||||
Reference in New Issue
Block a user