From 9a6049cccabd6a7c81e999e7429dc0f769aff387 Mon Sep 17 00:00:00 2001
From: Lior <lior@zeta.dev>
Date: Tue, 26 May 2026 00:25:44 -0400
Subject: [PATCH] fix(B-0789 iter-4.2 fixfwd): resolve 5 post-merge Copilot
 findings on #5083 (3 P0 + 2 P1) before maintainer test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #5083 auto-merged with required checks green; 5 substantive Copilot
findings landed post-merge. All real; the Nix-injection P0 is security-
relevant; install-script P0s would abort the install on real hardware.
Fix-forward before the maintainer tests iter-4.2 end-to-end.

P0 fixes in zeta-install.sh:

1. PRRT_kwDOSF9kNM6Erhtf — `find /iso /run /mnt /boot` under `set -euo
   pipefail` aborts the install if any start-path doesn't exist (e.g.,
   /iso on some installer ISOs). Fix: filter to existing dirs first via
   SEARCH_DIRS array; only invoke find if non-empty; append `|| true`
   to swallow find's own exit code defensively

2. PRRT_kwDOSF9kNM6Erhto — `while read line < $PUBKEY_FILE` reads
   without sudo; fails on root-owned mounts (/mnt/* or /tmp/zeta-boot-
   esp from the readonly vfat probe) and aborts the install under
   `set -e`. Fix: read via `sudo cat` process-substitution

3. PRRT_kwDOSF9kNM6Erhty — NIX CODE INJECTION HAZARD. Pubkey lines
   interpolated into `"..."` Nix strings without escaping. SSH key
   comment containing `"` or `\` produces invalid Nix; a maliciously-
   crafted line on the USB could inject Nix code at install time
   (operator-ssh-keys.nix is imported by configuration.nix). Fix: sed
   escape `\\` → `\\\\` then `"` → `\"` (Nix double-quoted-string
   escape rules; ordering matters — backslash first)

P1 fixes:

4. PRRT_kwDOSF9kNM6ErhuB (zflash.ts) — `resolve(next)` in Node doesn't
   expand `~/`. `--ssh-key ~/.ssh/id_ed25519.pub` would resolve to a
   literal `~/.ssh/...` path under cwd and fail existence checks.
   Fix: expand leading `~/` (and bare `~`) to homedir() before resolve

5. PRRT_kwDOSF9kNM6ErhuK (zflash.ts + zeta-install.sh) — pubkey type
   regex/glob only matched `ssh-(ed25519|rsa|ecdsa|dss)` — missed
   `ecdsa-sha2-nistp{256,384,521}` (no ssh- prefix; what ssh-keygen
   defaults to for ECDSA) and FIDO/security keys `sk-ssh-ed25519@
   openssh.com` / `sk-ecdsa-sha2-*`. Fix: broaden to OpenSSH-spec
   prefixes per sshd(8) AuthorizedKeysFile

Also resolves the 5 review threads (handled separately via
resolveReviewThread mutation).

Tests:
- shellcheck clean on zeta-install.sh
- zflash.ts --help parses cleanly post-fix

Composes with #5083 (iter-4.2 substrate that this PR fix-forwards).

Co-Authored-By: Claude <noreply@anthropic.com>
---
 full-ai-cluster/tools/zflash.ts               | 19 +++++++++--
 .../usb-nixos-installer/zeta-install.sh       | 34 +++++++++++++++----
 2 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/full-ai-cluster/tools/zflash.ts b/full-ai-cluster/tools/zflash.ts
index 90f8fec559..6f0a7a354d 100755
--- a/full-ai-cluster/tools/zflash.ts
+++ b/full-ai-cluster/tools/zflash.ts
@@ -261,13 +261,19 @@ async function injectPubkeyToUsb(pubkeyPath: string): Promise<void> {
   // Read pubkey content
   const pubkey = readFileSync(pubkeyPath, "utf8").trim();
   const firstLine = pubkey.split("\n")[0] ?? "";
-  if (!/^ssh-(ed25519|rsa|ecdsa|dss)\s+/.test(firstLine)) {
+  // Per #5083 Copilot P1: broaden to all OpenSSH pubkey type tokens
+  // per sshd(8) AuthorizedKeysFile. Validates structurally: type token
+  // (one of ssh-*, ecdsa-sha2-*, sk-ssh-*, sk-ecdsa-sha2-*) + space +
+  // base64-shaped material (allow any non-whitespace; the actual base64
+  // decode happens on the cluster side).
+  const VALID_PUBKEY = /^(ssh-(ed25519|rsa|dss)|ecdsa-sha2-\S+|sk-ssh-ed25519@\S+|sk-ecdsa-sha2-\S+)\s+\S+/;
+  if (!VALID_PUBKEY.test(firstLine)) {
     try {
       execFileSync("diskutil", ["unmount", espPart], { stdio: "ignore" });
     } catch {
       /* ignore */
     }
-    dumpDiagnostics(`${pubkeyPath} first line is not a valid ssh-* pubkey`);
+    dumpDiagnostics(`${pubkeyPath} first line is not a recognized OpenSSH pubkey (expected ssh-ed25519 / ssh-rsa / ssh-dss / ecdsa-sha2-* / sk-ssh-ed25519@* / sk-ecdsa-sha2-*)`);
     bail(3, `iter-4.2 inject failed: ${pubkeyPath} is not a recognized SSH pubkey format.`);
   }
 
@@ -332,7 +338,14 @@ async function main() {
       if (!next || next.startsWith("-")) {
         bail(2, "--ssh-key requires a path argument (e.g., --ssh-key ~/.ssh/id_ed25519.pub)");
       }
-      sshKeyOverride = resolve(next);
+      // Per #5083 Copilot P1: Node's path.resolve doesn't expand `~/` to
+      // homedir; raw `--ssh-key ~/.ssh/id_ed25519.pub` would resolve to
+      // a literal `~/.ssh/...` path under cwd and fail existence checks.
+      // Expand leading `~/` (and bare `~`) to homedir() before resolve.
+      const expanded = next === "~" || next.startsWith("~/")
+        ? join(homedir(), next.slice(next === "~" ? 1 : 2))
+        : next;
+      sshKeyOverride = resolve(expanded);
       i++;
       continue;
     }
diff --git a/full-ai-cluster/usb-nixos-installer/zeta-install.sh b/full-ai-cluster/usb-nixos-installer/zeta-install.sh
index 43a0dabfb8..081ef786ab 100755
--- a/full-ai-cluster/usb-nixos-installer/zeta-install.sh
+++ b/full-ai-cluster/usb-nixos-installer/zeta-install.sh
@@ -243,9 +243,18 @@ sudo mkdir -p "$PROBE_MOUNT"
 PUBKEY_FILE=""
 INJECT_OK=0
 
-# Try 1: scan already-mounted filesystems
-PUBKEY_FILE=$(sudo find /iso /run /mnt /boot \
-  -maxdepth 5 -name "zeta-authorized-keys.pub" -type f 2>/dev/null | head -1)
+# Try 1: scan already-mounted filesystems.
+# Per #5083 Copilot P0: under `set -euo pipefail`, `find` exits non-zero
+# if any start-path doesn't exist (e.g., `/iso` on some installers),
+# aborting the whole install. Filter to existing dirs first.
+SEARCH_DIRS=()
+for d in /iso /run /mnt /boot; do
+  [ -d "$d" ] && SEARCH_DIRS+=("$d")
+done
+if [ ${#SEARCH_DIRS[@]} -gt 0 ]; then
+  PUBKEY_FILE=$(sudo find "${SEARCH_DIRS[@]}" \
+    -maxdepth 5 -name "zeta-authorized-keys.pub" -type f 2>/dev/null | head -1 || true)
+fi
 
 # Try 2: probe likely-USB block devices for a FAT partition with the pubkey.
 # Skip BOOT_DISK + DATA_DISKS (install targets).
@@ -281,14 +290,26 @@ fi
 if [ -n "$PUBKEY_FILE" ]; then
   echo "[iter-4.2]   found: $PUBKEY_FILE"
 
+  # Per #5083 Copilot P0: read via `sudo cat` since the pubkey file may be
+  # on a root-owned mount (/mnt/* or /tmp/zeta-boot-esp); plain shell redirect
+  # would fail as the unprivileged user and `set -e` aborts the install.
+  # OpenSSH pubkey type prefixes (per `sshd(8)` AuthorizedKeysFile):
+  # ssh-ed25519, ssh-rsa, ssh-dss, ecdsa-sha2-nistp{256,384,521},
+  # sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com.
   KEY_LINES=()
   while IFS= read -r line; do
     case "$line" in
-      ssh-ed25519\ *|ssh-rsa\ *|ssh-ecdsa\ *|ssh-dss\ *|ecdsa-*) KEY_LINES+=("$line") ;;
+      ssh-ed25519\ *|ssh-rsa\ *|ssh-dss\ *|ecdsa-sha2-*\ *|sk-ssh-ed25519@*\ *|sk-ecdsa-sha2-*\ *) KEY_LINES+=("$line") ;;
     esac
-  done < "$PUBKEY_FILE"
+  done < <(sudo cat "$PUBKEY_FILE")
 
   if [ ${#KEY_LINES[@]} -gt 0 ]; then
+    # Per #5083 Copilot P0/security: Nix string-escape the pubkey content
+    # before interpolating into the Nix file. Without this, a key comment
+    # containing `"` or `\` produces invalid Nix; a maliciously-crafted
+    # line on the USB could inject Nix code at install time. Nix double-
+    # quoted strings escape via `\\` → `\\\\` and `"` → `\"`. We apply
+    # both transformations with sed; ordering matters (backslash first).
     {
       echo '# operator-ssh-keys.nix — populated by iter-4.2 zeta-install.sh probe.'
       echo "# Source: $PUBKEY_FILE (boot USB ESP)"
@@ -299,7 +320,8 @@ if [ -n "$PUBKEY_FILE" ]; then
       echo '{'
       echo '  users.users.zeta.openssh.authorizedKeys.keys = ['
       for line in "${KEY_LINES[@]}"; do
-        printf '    "%s"\n' "$line"
+        escaped=$(printf '%s' "$line" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')
+        printf '    "%s"\n' "$escaped"
       done
       echo '  ];'
       echo '}'