carverauto/serviceradar
carverauto/serviceradar
2
3
Fork 0
Code Issues 233 Pull requests 24 Projects Releases 254 Packages Wiki Activity Actions 8

feat(agent): extract pushed-artifact add-on tarballs (delivery-models 1.2) (#3425) #3468

Merged
mfreeman451 merged 1 commit from feat/addon-pushed-tarball into staging 2026-05-31 16:16:35 +00:00
Conversation 1 Commits 1 Files changed 2 +276 -12
mfreeman451 commented 2026-05-31 16:15:35 +00:00
Owner
Copy link

What

delivery-models task 1.2 (agent-side tarball delivery). A pushed-artifact add-on can now be a gzip tarball bundling the binary + its addon.yaml/config.schema.json + any .service/.timer units — not just a bare executable.

stageAddonArtifact auto-detects gzip (a bare binary still works unchanged for single-binary agent-sidecar add-ons), verifies the sha256/signature over the raw artifact bytes, and extracts the tarball into the versioned staging dir so the binary and its units land side-by-side under current/ — exactly where the agent discovers units and the root-owned updater applies setcap / installs systemd units.

This is the missing delivery link: it's what gets the .service/.timer files to the agent so the systemd supervision dispatch (the supervision slice) can install them.

Security

Extraction is hardened against hostile/malformed artifacts:

  • every entry must be a regular file named as a single safe path segment — rejects ../ traversal, subdirectories, symlinks, and hardlinks (ErrAddonTarballUnsafe);
  • bounded entry count (64) and per-file (512 MiB) / total (1 GiB) sizes, with a hard read cap independent of the declared header size — decompression-bomb guard (ErrAddonTarballTooLarge);
  • the declared binary must be present (ErrAddonTarballBinaryMissing);
  • binary written 0755, all other files 0644.

Verification

Unit tests: tarball extraction (binary executable + manifest/units 0644 under current/), missing-binary, unsafe entries (traversal / subdir / symlink), too-many-entries; bare-binary delivery regression intact. go build/vet/golangci-lint clean. (Extraction is platform-agnostic; the downstream setcap/systemctl were host-verified in the prior slices.)

Scope / follow-ups

  • Off staging, independent of the supervision-dispatch PR (different files); they compose when both land.
  • Build-side production of the per-arch tarball (the assembler/inventory + the signed-publish pipeline) is the complementary build-signing follow-up; this PR makes the agent ready to receive them.

🤖 Generated with Claude Code

## What delivery-models **task 1.2** (agent-side tarball delivery). A pushed-artifact add-on can now be a **gzip tarball** bundling the binary + its `addon.yaml`/`config.schema.json` + any `.service`/`.timer` units — not just a bare executable. `stageAddonArtifact` auto-detects gzip (a bare binary still works unchanged for single-binary `agent-sidecar` add-ons), verifies the sha256/signature over the raw artifact bytes, and extracts the tarball into the versioned staging dir so the binary and its units land **side-by-side under `current/`** — exactly where the agent discovers units and the root-owned updater applies `setcap` / installs systemd units. This is the missing delivery link: it's what gets the `.service`/`.timer` files to the agent so the systemd supervision dispatch (the supervision slice) can install them. ## Security Extraction is hardened against hostile/malformed artifacts: - every entry must be a **regular file** named as a **single safe path segment** — rejects `../` traversal, subdirectories, symlinks, and hardlinks (`ErrAddonTarballUnsafe`); - **bounded** entry count (64) and per-file (512 MiB) / total (1 GiB) sizes, with a hard read cap independent of the declared header size — decompression-bomb guard (`ErrAddonTarballTooLarge`); - the declared binary must be present (`ErrAddonTarballBinaryMissing`); - binary written `0755`, all other files `0644`. ## Verification Unit tests: tarball extraction (binary executable + manifest/units `0644` under `current/`), missing-binary, unsafe entries (traversal / subdir / symlink), too-many-entries; **bare-binary delivery regression intact**. `go build`/`vet`/`golangci-lint` clean. (Extraction is platform-agnostic; the downstream `setcap`/`systemctl` were host-verified in the prior slices.) ## Scope / follow-ups - Off `staging`, independent of the supervision-dispatch PR (different files); they compose when both land. - Build-side **production** of the per-arch tarball (the assembler/inventory + the signed-publish pipeline) is the complementary build-signing follow-up; this PR makes the agent **ready to receive** them. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
feat(agent): extract pushed-artifact add-on tarballs (delivery-models 1.2) (#3425)
Some checks failed
Secret Scan / gitleaks (pull_request) Successful in 22s
Details
lint / lint (push) Successful in 1m20s
Details
lint / lint (pull_request) Successful in 1m47s
Details
Golang Tests / test-go (push) Successful in 3m3s
Details
CI / build (pull_request) Failing after 2m44s
Details
396f67bf5f 
A pushed artifact can now be a gzip tarball bundling the add-on binary plus its
manifest/config and systemd unit files, not just a bare executable. stageAddonArtifact
auto-detects gzip (vs a bare binary, which still works unchanged), verifies the
sha256/signature over the raw artifact bytes, and extracts the tarball into the
versioned staging dir so the binary and its units land side-by-side under `current/` --
which is exactly where the agent discovers units and the root-owned updater applies
setcap / installs systemd units.

This is the delivery mechanism that gets .service/.timer units to the agent (the
discovery + systemd dispatch from the supervision slice consumes them).

Extraction is hardened against hostile/malformed artifacts: every entry must be a
regular file named as a single safe path segment (rejects traversal, subdirs, symlinks,
hardlinks); entry count and per-file/total sizes are bounded (decompression-bomb guard);
the declared binary must be present. The binary is written 0755, all other files 0644.

Tested: tarball extraction (binary executable + units/manifest 0644 under current/),
missing-binary, unsafe-entry (traversal/subdir/symlink), too-many-entries; bare-binary
delivery regression intact. Build/vet/golangci-lint clean. Build-side production of the
per-arch tarball is the complementary build-signing/bundle follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mfreeman451 reviewed 2026-05-31 16:16:29 +00:00
mfreeman451 left a comment
Copy link

lgtm

lgtm
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
1week

   
2weeks

   
Failed compliance check

   
IP cameras

   
NATS
NATS JetStream

  
Possible security concern

   
Review effort 1/5

   
Review effort 2/5

   
Review effort 3/5

   
Review effort 4/5

   
Review effort 5/5

   
UI

   
aardvark

   
accessibility

   
amd64

   
api

   
arm64

   
auth

   
back-end

   
bgp

   
blog

   
bug
Something isn't working

  
build

   
checkers

   
ci-cd
continuous integration-continuous deployments

  
cleanup

   
cnpg
cloud-native postgres

  
codex

   
core
core service

  
dependencies
Pull requests that update a dependency file

  
device-management

   
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
dusk

   
ebpf

   
enhancement
New feature or request

  
eta 1d

   
eta 1hr

   
eta 3d

   
eta 3hr

   
feature

   
fieldsurvey

   
github_actions
Pull requests that update GitHub Actions code

  
go
Pull requests that update Go code

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
javascript
Pull requests that update Javascript code

  
k8s

   
log-collector

   
mapper

   
mtr
multi traceroute

  
needs-triage

   
netflow

   
network-sweep

   
observability

   
oracle
Oracle Linux related issues

  
otel
opentelemetry logs, traces, metrics

  
plug-in

   
proton
timeplus proton streaming database

  
python

   
question
Further information is requested

  
reddit

   
redhat

   
research

   
rperf

   
rperf-checker

   
rust
Pull requests that update rust code

  
sdk

   
security

   
serviceradar-agent

   
serviceradar-agent-gateway

   
serviceradar-web

   
serviceradar-web-ng

   
siem

   
snmp

   
sysmon

   
topology

   
ubiquiti

   
wasm

   
wontfix
This will not be worked on

  
zen-engine
No labels
1week
2weeks
Failed compliance check
IP cameras
NATS
Possible security concern
Review effort 1/5
Review effort 2/5
Review effort 3/5
Review effort 4/5
Review effort 5/5
UI
aardvark
accessibility
amd64
api
arm64
auth
back-end
bgp
blog
bug
build
checkers
ci-cd
cleanup
cnpg
codex
core
dependencies
device-management
documentation
duplicate
dusk
ebpf
enhancement
eta 1d
eta 1hr
eta 3d
eta 3hr
feature
fieldsurvey
github_actions
go
good first issue
help wanted
invalid
javascript
k8s
log-collector
mapper
mtr
needs-triage
netflow
network-sweep
observability
oracle
otel
plug-in
proton
python
question
reddit
redhat
research
rperf
rperf-checker
rust
sdk
security
serviceradar-agent
serviceradar-agent-gateway
serviceradar-web
serviceradar-web-ng
siem
snmp
sysmon
topology
ubiquiti
wasm
wontfix
zen-engine
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carverauto/serviceradar!3468
No description provided.