security: fix clawhub analysis findings (#31)

electather · web-flow · commit c7be14a024bc · 2026-03-14T21:53:33.000Z
diff --git a/AGENT.md b/AGENT.md
@@ -16,6 +16,9 @@ env:
   - name: SEER_API_KEY
     description: API key for authenticating with the Seer server
     required: true
+  - name: SEER_MCP_AUTH_TOKEN
+    description: Bearer token for authenticating MCP HTTP transport clients (required when running the HTTP server; omit for stdio transport)
+    required: false
 ---
 
 # seer-cli
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@ COPY . .
 RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /seer-cli .
 
 # Stage 2: Final image
-FROM alpine:latest
+FROM alpine:3.21
 
 RUN apk add --no-cache ca-certificates
 
diff --git a/install.sh b/install.sh
@@ -58,10 +58,25 @@ echo "Installing ${BIN} ${VERSION} (${OS}/${ARCH})..."
 TMP=$(mktemp -d)
 trap 'rm -rf "$TMP"' EXIT
 
+CHECKSUMS_FILE="${BIN}_${VERSION_BARE}_checksums.txt"
+CHECKSUMS_URL="https://github.com/${REPO}/releases/download/${VERSION}/${CHECKSUMS_FILE}"
+
 if command -v curl > /dev/null 2>&1; then
   curl -fsSL "$URL" -o "${TMP}/${ARCHIVE}"
+  curl -fsSL "$CHECKSUMS_URL" -o "${TMP}/${CHECKSUMS_FILE}"
 else
   wget -qO "${TMP}/${ARCHIVE}" "$URL"
+  wget -qO "${TMP}/${CHECKSUMS_FILE}" "$CHECKSUMS_URL"
+fi
+
+# ── Verify checksum ───────────────────────────────────────────────────────────
+echo "Verifying checksum..."
+if command -v sha256sum > /dev/null 2>&1; then
+  (cd "$TMP" && grep "${ARCHIVE}" "${CHECKSUMS_FILE}" | sha256sum -c -)
+elif command -v shasum > /dev/null 2>&1; then
+  (cd "$TMP" && grep "${ARCHIVE}" "${CHECKSUMS_FILE}" | shasum -a 256 -c -)
+else
+  echo "Warning: sha256sum/shasum not found — skipping checksum verification"
 fi
 
 tar -xzf "${TMP}/${ARCHIVE}" -C "$TMP"
