Merge branch 'main' into feat/slack-bridge

Author: caco26i

scripts/install-openshell.sh

@@ -79,14 +79,23 @@ esac
 tmpdir="$(mktemp -d)"
 trap 'rm -rf "$tmpdir"' EXIT
 
+CHECKSUM_FILE="openshell-checksums-sha256.txt"
 if command -v gh >/dev/null 2>&1; then
   GH_TOKEN="${GITHUB_TOKEN:-}" gh release download --repo NVIDIA/OpenShell \
     --pattern "$ASSET" --dir "$tmpdir"
+  GH_TOKEN="${GITHUB_TOKEN:-}" gh release download --repo NVIDIA/OpenShell \
+    --pattern "$CHECKSUM_FILE" --dir "$tmpdir"
 else
   curl -fsSL "https://github.com/NVIDIA/OpenShell/releases/latest/download/$ASSET" \
     -o "$tmpdir/$ASSET"
+  curl -fsSL "https://github.com/NVIDIA/OpenShell/releases/latest/download/$CHECKSUM_FILE" \
+    -o "$tmpdir/$CHECKSUM_FILE"
 fi
 
+info "Verifying SHA-256 checksum..."
+(cd "$tmpdir" && grep -F "$ASSET" "$CHECKSUM_FILE" | shasum -a 256 -c -) \
+  || fail "SHA-256 checksum verification failed for $ASSET"
+
 tar xzf "$tmpdir/$ASSET" -C "$tmpdir"
 
 target_dir="/usr/local/bin"

test/runner.test.js

@@ -293,5 +293,11 @@ describe("regression guards", () => {
         expect(line.includes("NVIDIA_API_KEY")).toBe(false);
       }
     });
+
+    it("install-openshell.sh verifies OpenShell binary checksum after download", () => {
+      const src = fs.readFileSync(path.join(import.meta.dirname, "..", "scripts", "install-openshell.sh"), "utf-8");
+      expect(src).toContain("openshell-checksums-sha256.txt");
+      expect(src).toContain("shasum -a 256 -c");
+    });
   });
 });