Merge PR #7790: fix(os): harden elizaOS smoke checks and USB installer boundary

Shaw · Shaw · commit 521ecbebbf98 · 2026-05-18T18:02:09.000-07:00
diff --git a/.github/workflows/elizaos-os-release.yml b/.github/workflows/elizaos-os-release.yml
@@ -49,7 +49,8 @@ jobs:
           node packages/os/android/installer/scripts/validate-release-manifest.mjs \
             packages/os/android/installer/manifests/android-release-manifest.example.json
           node packages/os/android/installer/scripts/validate-release-manifest.mjs \
-            packages/os/release/beta-2026-05-16/android-release-manifest.json
+            packages/os/release/beta-2026-05-16/android-release-manifest.json \
+            --allow-placeholders
 
       - name: Validate elizaos-setup (formerly aosp-flasher)
         run: |
diff --git a/packages/os-usb-installer/README.md b/packages/os-usb-installer/README.md
@@ -77,8 +77,9 @@ Windows:
 
 ## Electrobun integration notes
 
-This package is structured so Electrobun can host the Vite renderer and bind an
-implementation of `UsbInstallerBackend` from the main process. The first real
-backend should keep the same interface and replace only the dry-run backend,
-with a narrow privileged helper responsible for raw device writes and verify
-reads.
+This package is structured so Electrobun can host the Vite renderer while the
+renderer only talks to a local `UsbInstallerBackend` HTTP/IPC contract. Platform
+enumeration and any future raw writes stay in `server.ts` or a signed privileged
+helper, never in browser-rendered code. The first real write helper should keep
+the same interface and replace only the dry-run execution path, with a narrow
+audited helper responsible for raw device writes and verify reads.
diff --git a/packages/os-usb-installer/src/main.tsx b/packages/os-usb-installer/src/main.tsx
@@ -1,7 +1,6 @@
 import { StrictMode } from "react";
 import { createRoot } from "react-dom/client";
 import { HttpUsbInstallerBackend } from "./backend/http-backend";
-import type { UsbInstallerBackend } from "./backend/types";
 import { InstallerApp } from "./components/InstallerApp";
 import "./styles.css";
 
@@ -13,26 +12,13 @@ if (!root) {
 
 const rootElement: HTMLElement = root;
 
-// In Electrobun (desktop app) the native IPC backend is available.
-// In all browser contexts (Vite dev server or static deployment) use the
-// HTTP backend which talks to the local Bun server via the /api Vite proxy.
-const isElectrobun =
-  typeof (globalThis as Record<string, unknown>).electrobun !== "undefined";
+// Keep raw disk enumeration and write execution out of the renderer bundle.
+// The browser/Electrobun view talks to the local backend contract; platform
+// helpers stay in server.ts or a future signed privileged helper.
+const backend = new HttpUsbInstallerBackend();
 
-async function main() {
-  let backend: UsbInstallerBackend;
-  if (isElectrobun) {
-    const { createPlatformBackend } = await import("./backend/index");
-    backend = createPlatformBackend();
-  } else {
-    backend = new HttpUsbInstallerBackend();
-  }
-
-  createRoot(rootElement).render(
-    <StrictMode>
-      <InstallerApp backend={backend} />
-    </StrictMode>,
-  );
-}
-
-void main();
+createRoot(rootElement).render(
+  <StrictMode>
+    <InstallerApp backend={backend} />
+  </StrictMode>,
+);
diff --git a/packages/os/RELEASE.md b/packages/os/RELEASE.md
@@ -9,7 +9,7 @@ Short, mechanical steps for cutting a new OS release. Anything not on this list
 - `scripts/update-release-manifest.mjs` — sets `sha256`, `sizeBytes`, `downloadUrl`, status on one artifact entry.
 - `scripts/validate-release-manifest.mjs` — schema check; pass `--require-publishable-checksums` for strict mode.
 - `scripts/generate-release-checksums.mjs` — fills the manifest by hashing local artifact files.
-- `android/installer/scripts/validate-release-manifest.mjs` — separate validator for the Android per-partition manifest. Rejects all-zero placeholder hashes.
+- `android/installer/scripts/validate-release-manifest.mjs` — separate validator for the Android per-partition manifest. Rejects all-zero placeholder hashes by default; use `--allow-placeholders` only for checked-in pre-release draft manifests.
 
 ## Steps
 
diff --git a/packages/os/android/installer/README.md b/packages/os/android/installer/README.md
@@ -156,6 +156,16 @@ node packages/os/android/installer/scripts/validate-release-manifest.mjs \
   packages/os/android/installer/manifests/android-release-manifest.example.json
 ```
 
+Checked-in pre-release draft manifests may still carry placeholder checksums or
+sentinel sizes while artifacts are being produced. That review-only state must
+be explicit:
+
+```bash
+node packages/os/android/installer/scripts/validate-release-manifest.mjs \
+  packages/os/release/beta-2026-05-16/android-release-manifest.json \
+  --allow-placeholders
+```
+
 If artifacts are available locally, pass `--artifact-dir` to verify declared
 file sizes and SHA-256 values:
 
diff --git a/packages/os/android/installer/manifests/android-release-manifest.example.json b/packages/os/android/installer/manifests/android-release-manifest.example.json
@@ -19,24 +19,24 @@
     {
       "partition": "boot",
       "filename": "boot.img",
-      "sha256": "0000000000000000000000000000000000000000000000000000000000000000",
-      "sizeBytes": 1,
+      "sha256": "adc7cf0cbb58ab51520a1fa874a80fb0735a4464fd9b1988096761b4c11d8677",
+      "sizeBytes": 19,
       "required": true,
       "fastbootMode": "bootloader"
     },
     {
       "partition": "vendor_boot",
       "filename": "vendor_boot.img",
-      "sha256": "1111111111111111111111111111111111111111111111111111111111111111",
-      "sizeBytes": 1,
+      "sha256": "dbbb45447bdde07766a48c299ade9573b28bb45c2a81db370ddb3516e95e03ab",
+      "sizeBytes": 26,
       "required": true,
       "fastbootMode": "bootloader"
     },
     {
       "partition": "super",
       "filename": "super.img",
-      "sha256": "2222222222222222222222222222222222222222222222222222222222222222",
-      "sizeBytes": 1,
+      "sha256": "fb5500dfc6572b380682d824fb84662cfd39c8bb834e5604f3d4772462987628",
+      "sizeBytes": 20,
       "required": true,
       "fastbootMode": "fastbootd"
     }
diff --git a/packages/os/android/installer/scripts/validate-release-manifest.mjs b/packages/os/android/installer/scripts/validate-release-manifest.mjs
@@ -7,10 +7,11 @@ const args = process.argv.slice(2);
 
 function usage() {
   console.log(`Usage:
-  validate-release-manifest.mjs MANIFEST.json [--artifact-dir DIR]
+  validate-release-manifest.mjs MANIFEST.json [--artifact-dir DIR] [--allow-placeholders]
 
 Validates the Android release manifest shape without requiring devices.
-When --artifact-dir is provided, artifact sizes and SHA-256 hashes are checked.`);
+When --artifact-dir is provided, artifact sizes and SHA-256 hashes are checked.
+Use --allow-placeholders only for checked-in pre-release draft manifests.`);
 }
 
 function die(message) {
@@ -21,6 +22,7 @@ function die(message) {
 function parseArgs(argv) {
   let manifestPath = '';
   let artifactDir = '';
+  let allowPlaceholders = false;
   for (let index = 0; index < argv.length; index += 1) {
     const arg = argv[index];
     if (arg === '-h' || arg === '--help') {
@@ -33,12 +35,16 @@ function parseArgs(argv) {
       index += 1;
       continue;
     }
+    if (arg === '--allow-placeholders') {
+      allowPlaceholders = true;
+      continue;
+    }
     if (arg.startsWith('--')) die(`unknown argument: ${arg}`);
     if (manifestPath) die(`unexpected extra argument: ${arg}`);
     manifestPath = arg;
   }
   if (!manifestPath) die('provide a manifest path');
-  return { manifestPath, artifactDir };
+  return { manifestPath, artifactDir, allowPlaceholders };
 }
 
 function readJson(path) {
@@ -57,7 +63,7 @@ function isObject(value) {
   return value !== null && typeof value === 'object' && !Array.isArray(value);
 }
 
-function validateManifest(manifest) {
+function validateManifest(manifest, { allowPlaceholders = false } = {}) {
   const errors = [];
   expect(isObject(manifest), errors, '$', 'manifest must be an object');
   if (!isObject(manifest)) return errors;
@@ -107,9 +113,13 @@ function validateManifest(manifest) {
       partitions.add(artifact.partition);
       expect(typeof artifact.filename === 'string' && /^[^/\\]+\.img$/.test(artifact.filename), errors, `${path}.filename`, 'must be a local .img filename');
       expect(typeof artifact.sha256 === 'string' && /^[a-fA-F0-9]{64}$/.test(artifact.sha256), errors, `${path}.sha256`, 'must be 64 hex characters');
-      expect(typeof artifact.sha256 !== 'string' || artifact.sha256.toLowerCase() !== '0'.repeat(64), errors, `${path}.sha256`, 'must not be the all-zero placeholder; populate with a real checksum before validating');
+      if (!allowPlaceholders) {
+        expect(typeof artifact.sha256 !== 'string' || artifact.sha256.toLowerCase() !== '0'.repeat(64), errors, `${path}.sha256`, 'must not be the all-zero placeholder; populate with a real checksum before validating');
+      }
       expect(Number.isInteger(artifact.sizeBytes) && artifact.sizeBytes > 0, errors, `${path}.sizeBytes`, 'must be a positive integer');
-      expect(!Number.isInteger(artifact.sizeBytes) || artifact.sizeBytes > 1, errors, `${path}.sizeBytes`, 'must not be the sentinel value 1; populate with the real artifact size');
+      if (!allowPlaceholders) {
+        expect(!Number.isInteger(artifact.sizeBytes) || artifact.sizeBytes > 1, errors, `${path}.sizeBytes`, 'must not be the sentinel value 1; populate with the real artifact size');
+      }
       expect(typeof artifact.required === 'boolean', errors, `${path}.required`, 'must be boolean');
       expect(fastbootModes.has(artifact.fastbootMode), errors, `${path}.fastbootMode`, 'must be bootloader or fastbootd');
     });
@@ -156,9 +166,9 @@ function validateArtifacts(manifest, artifactDir) {
   return errors;
 }
 
-const { manifestPath, artifactDir } = parseArgs(args);
+const { manifestPath, artifactDir, allowPlaceholders } = parseArgs(args);
 const manifest = readJson(manifestPath);
-const errors = [...validateManifest(manifest), ...validateArtifacts(manifest, artifactDir)];
+const errors = [...validateManifest(manifest, { allowPlaceholders }), ...validateArtifacts(manifest, artifactDir)];
 if (errors.length > 0) {
   errors.forEach((error) => console.error(`error: ${error}`));
   process.exit(1);
diff --git a/packages/os/android/installer/tests/run-tests.sh b/packages/os/android/installer/tests/run-tests.sh
@@ -31,9 +31,9 @@ assert_contains() {
 BIN_DIR="$TMP_DIR/bin"
 ARTIFACT_DIR="$TMP_DIR/artifacts"
 mkdir -p "$BIN_DIR" "$ARTIFACT_DIR"
-printf '\0' >"$ARTIFACT_DIR/boot.img"
-printf '\1' >"$ARTIFACT_DIR/vendor_boot.img"
-printf '\2' >"$ARTIFACT_DIR/super.img"
+printf 'boot-image-fixture\n' >"$ARTIFACT_DIR/boot.img"
+printf 'vendor-boot-image-fixture\n' >"$ARTIFACT_DIR/vendor_boot.img"
+printf 'super-image-fixture\n' >"$ARTIFACT_DIR/super.img"
 
 cat >"$BIN_DIR/adb" <<'EOF'
 #!/usr/bin/env bash
diff --git a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
@@ -9,7 +9,22 @@ SOURCE_ONLY="${ELIZAOS_STATIC_SOURCE_ONLY:-0}"
 cd "${ROOT}"
 
 stat_mode() {
-    stat -c %a "$1" 2>/dev/null || stat -f %Lp "$1"
+    local path="$1"
+    local index_mode
+    index_mode="$(
+        git -C "${ROOT}" ls-files -s -- "${path}" 2>/dev/null | awk 'NR == 1 { print $1 }'
+    )"
+    case "${index_mode}" in
+        100755)
+            printf '755\n'
+            return 0
+            ;;
+        100644)
+            printf '644\n'
+            return 0
+            ;;
+    esac
+    stat -c %a "${path}" 2>/dev/null || stat -f %Lp "${path}"
 }
 
 echo "==> shell syntax"
diff --git a/packages/os/release/beta-2026-05-16/README.md b/packages/os/release/beta-2026-05-16/README.md
@@ -9,7 +9,7 @@ All five artifacts in `manifest.json` are in `status: candidate` with `sha256: n
 This is **not** a broken state. The pipeline gates publication on real values:
 
 - `scripts/validate-release-manifest.mjs --require-publishable-checksums` fails on `null` AND on the all-zero placeholder. It is run by the `populate-and-validate-manifest` job in `.github/workflows/elizaos-os-full-release.yml` after artifacts are downloaded.
-- `android/installer/scripts/validate-release-manifest.mjs` rejects the all-zero hash and the `sizeBytes: 1` sentinel — it cannot be tricked into passing the placeholder values that ship in this file.
+- `android/installer/scripts/validate-release-manifest.mjs` rejects the all-zero hash and the `sizeBytes: 1` sentinel by default. The pull-request validation workflow uses `--allow-placeholders` for this checked-in draft manifest only, while the publish path must validate real Android artifacts without that flag.
 - `release.status` is only promoted to `available` after the strict gate passes.
 
 See `packages/os/RELEASE.md` for the full runbook.
