fix: wrap generated scripts in main() for safe curl|bash piping

fullstackjam · fullstackjam · commit 1f6eb167acc5 · 2026-03-17T07:52:42.000+08:00
When bash reads a script from a pipe (curl | bash), exec &lt; /dev/tty at
the top level redirects stdin away from the pipe mid-read, causing bash
to lose the rest of the script and hang. Wrapping in main() forces bash
to parse the entire script before executing, matching the pattern used
by scripts/install.sh, rustup, and other curl|bash installers.
diff --git a/src/lib/server/install-script.test.ts b/src/lib/server/install-script.test.ts
@@ -2,13 +2,15 @@ import { describe, it, expect } from 'vitest';
 import { generatePrivateInstallScript, generateInstallScript } from './install-script';
 
 describe('generatePrivateInstallScript', () => {
-	it('should reopen stdin from /dev/tty for curl|bash', () => {
+	it('should wrap everything in main() for safe curl|bash piping', () => {
 		const script = generatePrivateInstallScript(
 			'https://openboot.dev',
 			'testuser',
 			'my-config'
 		);
 
+		expect(script).toContain('main()');
+		expect(script).toMatch(/main "\$@"\s*$/);
 		expect(script).toContain('exec < /dev/tty');
 	});
 
@@ -110,9 +112,11 @@ describe('generatePrivateInstallScript', () => {
 });
 
 describe('generateInstallScript', () => {
-	it('should reopen stdin from /dev/tty for curl|bash', () => {
+	it('should wrap everything in main() for safe curl|bash piping', () => {
 		const script = generateInstallScript('testuser', 'my-config', '', '');
 
+		expect(script).toContain('main()');
+		expect(script).toMatch(/main "\$@"\s*$/);
 		expect(script).toContain('exec < /dev/tty');
 	});
 
diff --git a/src/lib/server/install-script.ts b/src/lib/server/install-script.ts
@@ -13,6 +13,7 @@ export function generatePrivateInstallScript(
 	return `#!/bin/bash
 set -e
 
+main() {
 # When run via "curl | bash", stdin is the script content, not the terminal.
 # Reopen stdin from /dev/tty so interactive prompts (sudo, Homebrew) work.
 if [ ! -t 0 ] && [ -e /dev/tty ]; then
@@ -83,6 +84,9 @@ echo "Authorized! Fetching install script..."
 echo ""
 
 exec bash <(curl -fsSL -H "Authorization: Bearer \$TOKEN" "\$APP_URL/${safeUsername}/${safeSlug}/install")
+}
+
+main "\$@"
 `;
 }
 
@@ -98,6 +102,7 @@ export function generateInstallScript(
 	return `#!/bin/bash
 set -e
 
+main() {
 # When run via "curl | bash", stdin is the script content, not the terminal.
 # Reopen stdin from /dev/tty so interactive prompts (sudo, Homebrew) work.
 if [ ! -t 0 ] && [ -e /dev/tty ]; then
@@ -218,5 +223,8 @@ done
 
 echo ""
 echo "Installation complete!"
+}
+
+main "\$@"
 `;
 }
