Security hardening and installer resilience audit (#72)

- Prevent .env overwrite on re-install: _env_get() merges existing user
  secrets/API keys instead of regenerating them
- Add ERR trap with phase tracking to install-core.sh for actionable
  failure diagnostics
- Replace unsafe `source .env` with line-by-line parser in dream-preflight.sh
- Fix sed injection in 4 files (dashboard entrypoint, 06-directories,
  07-devtools) by escaping special characters before substitution
- Fix JSON injection in dream-backup.sh and dream-update.sh by using
  jq --arg instead of heredoc interpolation
- Add tar path traversal protection in dream-restore.sh
- Fix curl auth header quoting in dream-update.sh (array instead of string)
- Add jq prerequisite check to dream-backup.sh and dream-update.sh
- Add model download retry (3 attempts with resume) in 11-services.sh
- Fix `local` keyword used outside function in 11-services.sh
- Track health check failures with counter instead of swallowing via || true
- Add port check fallback warning when ss/netstat missing
- Remove duplicate LLAMA_SERVER_PORT from generated .env
- Preserve LIVEKIT_API_KEY on re-install via _env_get
- Add dream-uninstall.sh for clean removal
- Add archive/ to .gitignore

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: Lightheartdevs

.gitignore

@@ -60,3 +60,8 @@ dream-server/.claude/
 dream-server/.pytest_cache/
 dream-server/tests/__pycache__/
 dream-server/internal/
+
+# ============================================
+# Archived / deprecated code (pre-v2.0)
+# ============================================
+archive/

dream-server/dream-backup.sh

@@ -20,6 +20,7 @@ NC='\033[0m' # No Color
 
 # Prerequisites check
 command -v rsync >/dev/null 2>&1 || { echo -e "${RED}Error: rsync is required but not installed.${NC}" >&2; echo "Install with: apt install rsync (Debian/Ubuntu) or brew install rsync (macOS)" >&2; exit 1; }
+command -v jq >/dev/null 2>&1 || { echo -e "${RED}Error: jq is required but not installed.${NC}" >&2; echo "Install with: apt install jq (Debian/Ubuntu) or brew install jq (macOS)" >&2; exit 1; }
 
 # Logging functions
 log_info() { echo -e "${BLUE}[INFO]${NC} $*"; }
@@ -126,31 +127,42 @@ create_manifest() {
     local version
     version=$(cat "$DREAM_DIR/.version" 2>/dev/null || echo "unknown")
 
-    cat > "$backup_dir/manifest.json" << EOF
-{
-  "manifest_version": "1.0",
-  "backup_date": "$(date -Iseconds)",
-  "backup_id": "$(basename "$backup_dir")",
-  "backup_type": "$backup_type",
-  "dream_version": "$version",
-  "hostname": "$(hostname)",
-  "description": "$description",
-  "contents": {
-    "user_data": $( [[ "$backup_type" == "full" || "$backup_type" == "user-data" ]] && echo "true" || echo "false" ),
-    "config": $( [[ "$backup_type" == "full" || "$backup_type" == "config" ]] && echo "true" || echo "false" ),
-    "cache": $( [[ "$backup_type" == "full" ]] && echo "true" || echo "false" )
-  },
-  "paths": {
-    "data_open_webui": "data/open-webui",
-    "data_n8n": "data/n8n",
-    "data_qdrant": "data/qdrant",
-    "data_openclaw": "data/openclaw",
-    "env": ".env",
-    "compose": "docker-compose.yml",
-    "config": "config"
-  }
-}
-EOF
+    # Use jq to safely construct JSON (prevents injection via $description)
+    local has_user_data="false" has_config="false" has_cache="false"
+    [[ "$backup_type" == "full" || "$backup_type" == "user-data" ]] && has_user_data="true"
+    [[ "$backup_type" == "full" || "$backup_type" == "config" ]] && has_config="true"
+    [[ "$backup_type" == "full" ]] && has_cache="true"
+
+    jq -n \
+        --arg mv "1.0" \
+        --arg bd "$(date -Iseconds)" \
+        --arg bi "$(basename "$backup_dir")" \
+        --arg bt "$backup_type" \
+        --arg dv "$version" \
+        --arg hn "$(hostname)" \
+        --arg desc "$description" \
+        --argjson ud "$has_user_data" \
+        --argjson cfg "$has_config" \
+        --argjson ca "$has_cache" \
+        '{
+          manifest_version: $mv,
+          backup_date: $bd,
+          backup_id: $bi,
+          backup_type: $bt,
+          dream_version: $dv,
+          hostname: $hn,
+          description: $desc,
+          contents: { user_data: $ud, config: $cfg, cache: $ca },
+          paths: {
+            data_open_webui: "data/open-webui",
+            data_n8n: "data/n8n",
+            data_qdrant: "data/qdrant",
+            data_openclaw: "data/openclaw",
+            env: ".env",
+            compose: "docker-compose.yml",
+            config: "config"
+          }
+        }' > "$backup_dir/manifest.json"
     log_info "Created backup manifest"
 }
 

dream-server/dream-preflight.sh

@@ -10,10 +10,20 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 DREAM_DIR="$SCRIPT_DIR"
 LOG_FILE="$DREAM_DIR/preflight-$(date +%Y%m%d-%H%M%S).log"
 
-# Load config from .env if available
+# Load config from .env safely (line-by-line, no eval/source)
 if [ -f "$DREAM_DIR/.env" ]; then
-    # shellcheck source=/dev/null
-    source "$DREAM_DIR/.env" 2>/dev/null || true
+    while IFS='=' read -r key value; do
+        # Skip comments and empty lines
+        [[ "$key" =~ ^[[:space:]]*# ]] && continue
+        [[ -z "$key" ]] && continue
+        # Only allow safe variable names
+        key=$(echo "$key" | xargs)  # trim whitespace
+        [[ "$key" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
+        # Strip surrounding quotes from value
+        value="${value%\"}" && value="${value#\"}"
+        value="${value%\'}" && value="${value#\'}"
+        export "$key=$value"
+    done < "$DREAM_DIR/.env"
 fi
 SERVICE_HOST="${SERVICE_HOST:-localhost}"
 

dream-server/dream-restore.sh

@@ -150,9 +150,18 @@ extract_backup() {
     fi
 
     if [[ -f "$compressed" ]]; then
+        # Validate: reject archives with absolute paths or path traversal
+        if tar -tzf "$compressed" 2>/dev/null | grep -qE '(^/|\.\./)'; then
+            log_error "Backup archive contains unsafe paths (absolute or ../) — refusing to extract"
+            return 1
+        fi
         log_info "Extracting compressed backup..."
         mkdir -p "$uncompressed"
-        tar xzf "$compressed" -C "$BACKUP_ROOT"
+        if ! tar xzf "$compressed" --no-same-owner -C "$BACKUP_ROOT"; then
+            log_error "Failed to extract backup archive"
+            rm -rf "$uncompressed"
+            return 1
+        fi
         echo "$uncompressed"
         return 0
     fi

dream-server/dream-uninstall.sh

@@ -0,0 +1,187 @@
+#!/bin/bash
+# dream-uninstall.sh - Dream Server Clean Uninstaller
+# Removes all Dream Server components, data, and system modifications.
+# Usage: ./dream-uninstall.sh [--keep-models] [--keep-data] [--force]
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+INSTALL_DIR="${INSTALL_DIR:-$HOME/dream-server}"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log_info()  { echo -e "${BLUE}[INFO]${NC} $*"; }
+log_ok()    { echo -e "${GREEN}[OK]${NC} $*"; }
+log_warn()  { echo -e "${YELLOW}[WARN]${NC} $*"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
+
+KEEP_MODELS=false
+KEEP_DATA=false
+FORCE=false
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --keep-models) KEEP_MODELS=true; shift ;;
+        --keep-data)   KEEP_DATA=true; shift ;;
+        --force)       FORCE=true; shift ;;
+        -h|--help)
+            cat << EOF
+Dream Server Uninstaller
+
+Usage: $(basename "$0") [OPTIONS]
+
+Options:
+    --keep-models   Keep downloaded AI models (saves re-download time)
+    --keep-data     Keep user data (chat history, n8n workflows, etc.)
+    --force         Skip confirmation prompts
+    -h, --help      Show this help
+
+This will remove:
+    - Docker containers, images, and volumes for Dream Server
+    - Installation directory ($INSTALL_DIR)
+    - Systemd user services (opencode-web, openclaw timers)
+    - CLI symlink (/usr/local/bin/dream-cli)
+    - Backup directory (~/.dream-server)
+
+EOF
+            exit 0
+            ;;
+        *) log_error "Unknown option: $1"; exit 1 ;;
+    esac
+done
+
+echo ""
+echo -e "${RED}╔══════════════════════════════════════════════════╗${NC}"
+echo -e "${RED}║         DREAM SERVER UNINSTALLER                ║${NC}"
+echo -e "${RED}╚══════════════════════════════════════════════════╝${NC}"
+echo ""
+
+# Detect install dir
+if [[ -d "$SCRIPT_DIR" && -f "$SCRIPT_DIR/dream-cli" ]]; then
+    INSTALL_DIR="$SCRIPT_DIR"
+fi
+
+if [[ ! -d "$INSTALL_DIR" ]]; then
+    log_error "Install directory not found: $INSTALL_DIR"
+    exit 1
+fi
+
+log_info "Install directory: $INSTALL_DIR"
+$KEEP_MODELS && log_info "Keeping models (--keep-models)"
+$KEEP_DATA && log_info "Keeping user data (--keep-data)"
+echo ""
+
+if [[ "$FORCE" != "true" ]]; then
+    echo -e "${YELLOW}This will permanently remove Dream Server and its components.${NC}"
+    read -rp "Are you sure? Type 'yes' to confirm: " confirm
+    if [[ "$confirm" != "yes" ]]; then
+        log_info "Uninstall cancelled."
+        exit 0
+    fi
+    echo ""
+fi
+
+# 1. Stop and remove Docker containers
+log_info "Stopping Docker containers..."
+cd "$INSTALL_DIR" 2>/dev/null || true
+if command -v docker &>/dev/null; then
+    # Try docker compose first, fall back to finding dream containers
+    docker compose down --remove-orphans 2>/dev/null || true
+
+    # Remove any remaining dream-* containers
+    dream_containers=$(docker ps -a --filter "name=dream-" --format "{{.Names}}" 2>/dev/null || true)
+    if [[ -n "$dream_containers" ]]; then
+        log_info "Removing Dream Server containers..."
+        echo "$dream_containers" | xargs -r docker rm -f 2>/dev/null || true
+    fi
+
+    # Remove dream-specific Docker volumes
+    dream_volumes=$(docker volume ls --filter "name=dream" --format "{{.Name}}" 2>/dev/null || true)
+    if [[ -n "$dream_volumes" ]]; then
+        log_info "Removing Docker volumes..."
+        echo "$dream_volumes" | xargs -r docker volume rm 2>/dev/null || true
+    fi
+
+    log_ok "Docker cleanup complete"
+else
+    log_warn "Docker not found — skipping container cleanup"
+fi
+
+# 2. Stop and remove systemd user services
+log_info "Removing systemd user services..."
+SYSTEMD_USER_DIR="$HOME/.config/systemd/user"
+for unit in opencode-web.service openclaw-session-cleanup.timer openclaw-session-manager.timer \
+            memory-shepherd-workspace.timer memory-shepherd-memory.timer \
+            openclaw-session-cleanup.service openclaw-session-manager.service \
+            memory-shepherd-workspace.service memory-shepherd-memory.service; do
+    if [[ -f "$SYSTEMD_USER_DIR/$unit" ]]; then
+        systemctl --user disable --now "$unit" 2>/dev/null || true
+        rm -f "$SYSTEMD_USER_DIR/$unit"
+    fi
+done
+systemctl --user daemon-reload 2>/dev/null || true
+log_ok "Systemd services removed"
+
+# 3. Remove CLI symlink
+if [[ -L "/usr/local/bin/dream-cli" ]]; then
+    log_info "Removing CLI symlink..."
+    sudo rm -f /usr/local/bin/dream-cli 2>/dev/null || rm -f /usr/local/bin/dream-cli 2>/dev/null || true
+    log_ok "CLI symlink removed"
+fi
+
+# 4. Remove desktop file
+DESKTOP_FILE="$HOME/.local/share/applications/dream-server.desktop"
+if [[ -f "$DESKTOP_FILE" ]]; then
+    rm -f "$DESKTOP_FILE"
+    log_ok "Desktop entry removed"
+fi
+
+# 5. Remove install directory (with optional data/model preservation)
+log_info "Removing installation directory..."
+if $KEEP_MODELS && [[ -d "$INSTALL_DIR/data/models" ]]; then
+    MODELS_BACKUP="$HOME/.dream-server-models-backup"
+    mkdir -p "$MODELS_BACKUP"
+    mv "$INSTALL_DIR/data/models"/* "$MODELS_BACKUP/" 2>/dev/null || true
+    log_info "Models preserved at: $MODELS_BACKUP"
+fi
+
+if $KEEP_DATA; then
+    # Remove everything except data/
+    find "$INSTALL_DIR" -mindepth 1 -maxdepth 1 ! -name 'data' -exec rm -rf {} + 2>/dev/null || true
+    log_info "User data preserved at: $INSTALL_DIR/data/"
+else
+    rm -rf "$INSTALL_DIR"
+fi
+log_ok "Installation directory cleaned"
+
+# 6. Remove backup directory
+if [[ -d "$HOME/.dream-server" ]]; then
+    log_info "Removing backup directory..."
+    rm -rf "$HOME/.dream-server"
+    log_ok "Backups removed"
+fi
+
+# 7. Remove OpenCode config (if we created it)
+OPENCODE_CONFIG="$HOME/.config/opencode/opencode.json"
+if [[ -f "$OPENCODE_CONFIG" ]] && grep -q "llama-server" "$OPENCODE_CONFIG" 2>/dev/null; then
+    rm -f "$OPENCODE_CONFIG"
+    log_ok "OpenCode config removed"
+fi
+
+echo ""
+echo -e "${GREEN}╔══════════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║     Dream Server has been uninstalled.           ║${NC}"
+echo -e "${GREEN}╚══════════════════════════════════════════════════╝${NC}"
+echo ""
+if $KEEP_MODELS; then
+    echo "Your models were saved to: $HOME/.dream-server-models-backup"
+    echo "To reuse them on reinstall, move them back to ~/dream-server/data/models/"
+fi
+if $KEEP_DATA; then
+    echo "Your user data was preserved at: $INSTALL_DIR/data/"
+fi

dream-server/dream-update.sh

@@ -12,6 +12,9 @@
 
 set -euo pipefail
 
+# Prerequisites
+command -v jq >/dev/null 2>&1 || { echo "Error: jq is required but not installed." >&2; echo "Install with: apt install jq (Debian/Ubuntu) or brew install jq (macOS)" >&2; exit 1; }
+
 #==============================================================================
 # CONFIGURATION
 #==============================================================================
@@ -94,13 +97,13 @@ cmd_check() {
 
     # Fetch latest release from GitHub
     local api_url="https://api.github.com/repos/${GITHUB_REPO}/releases/latest"
-    local auth_header=""
+    local response
+    local curl_args=(-sf)
     if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-        auth_header="-H \"Authorization: Bearer ${GITHUB_TOKEN}\""
+        curl_args+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
     fi
-    
-    local response
-    if ! response=$(curl -sf ${auth_header} "${api_url}" 2>/dev/null); then
+
+    if ! response=$(curl "${curl_args[@]}" "${api_url}" 2>/dev/null); then
         log_error "Failed to check for updates. Check network or GITHUB_TOKEN."
         return 1
     fi
@@ -221,16 +224,15 @@ cmd_backup() {
         ((files_backed_up++))
     fi
 
-    # Generate metadata
-    cat > "$backup_path/metadata.json" << EOF
-{
-    "backup_id": "${backup_id}",
-    "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
-    "version": "$(get_current_version)",
-    "files_count": ${files_backed_up},
-    "install_dir": "${INSTALL_DIR}"
-}
-EOF
+    # Generate metadata (use jq for safe JSON construction)
+    jq -n \
+        --arg bid "$backup_id" \
+        --arg ts "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+        --arg ver "$(get_current_version)" \
+        --argjson fc "$files_backed_up" \
+        --arg dir "$INSTALL_DIR" \
+        '{backup_id: $bid, timestamp: $ts, version: $ver, files_count: $fc, install_dir: $dir}' \
+        > "$backup_path/metadata.json"
 
     log_ok "Backup created: ${backup_path}"
     log_info "Files backed up: ${files_backed_up}"

dream-server/extensions/services/dashboard/entrypoint.sh

@@ -24,9 +24,11 @@ fi
 # We need to substitute it with the actual value
 if [ -n "$API_KEY" ]; then
     echo "[dashboard] Configuring nginx with API key auth injection"
+    # Escape sed special characters in the API key to prevent injection
+    ESCAPED_KEY=$(printf '%s\n' "$API_KEY" | sed 's/[&/\]/\\&/g')
     # Replace the placeholder (envsubst already ran, but may have left empty value)
-    sed -i "s|Bearer \${DASHBOARD_API_KEY}|Bearer $API_KEY|g" "$NGINX_CONF"
-    sed -i "s|Bearer \"\"|Bearer \"$API_KEY\"|g" "$NGINX_CONF"
+    sed -i "s|Bearer \${DASHBOARD_API_KEY}|Bearer ${ESCAPED_KEY}|g" "$NGINX_CONF"
+    sed -i "s|Bearer \"\"|Bearer \"${ESCAPED_KEY}\"|g" "$NGINX_CONF"
 else
     echo "[dashboard] WARNING: No DASHBOARD_API_KEY found in env or $KEY_FILE"
     echo "[dashboard] API calls will fail with 401 until key is configured"