fix(security): parse refreshed installer urls robustly

Author: Dicklesworthstone

scripts/generated/internal_checksums.sh

@@ -8,9 +8,9 @@
 # Used by check-manifest-drift.sh to detect unauthorized changes.
 
 declare -gA ACFS_INTERNAL_CHECKSUMS=(
-  [scripts/lib/security.sh]="1fc1cb591fd62ac56d12c5af183de9674e501a74d478b3dd60901167262e919a"
+  [scripts/lib/security.sh]="d82c1b79d17a0063e4d60cb12587f3550e25fa114a4261bd57bc350bcf297cad"
   [scripts/lib/agents.sh]="0d4e7666b7a7267203445c364ad2d4997775826175700627abe83c70afce2269"
-  [scripts/lib/update.sh]="8a43e4fcfef29df3eadb0c69a091a66670d0834cc3b7e8691835f6acd5e418a5"
+  [scripts/lib/update.sh]="10621235fd8472ef4ab0a1c75c20bce2488b27b6664144ed923516972cecee23"
   [scripts/lib/doctor.sh]="89cbdcf2c6b5a88404857a8885508f686c9aeba04e69a95b4e99475ba9148f42"
   [scripts/lib/doctor_fix.sh]="0010bcf607fce4cb5447a7f5daee0bdf507b03839f97be746a0afdab97e1b249"
   [scripts/lib/autofix.sh]="ae7cc5e0b3af3f170d647945d3daee9a341c9276c270fe06895ab9aaf26ba805"

scripts/lib/security.sh

@@ -855,9 +855,21 @@ load_checksums() {
 
         # Match url value for the current tool — override KNOWN_INSTALLERS so
         # stale URLs baked into an older security.sh are corrected when
-        # checksums.yaml is refreshed from GitHub.
-        if [[ -n "$current_tool" ]] && [[ "$line" =~ url:[[:space:]]*\"(https://[^\"]+)\" ]]; then
-            KNOWN_INSTALLERS["$current_tool"]="${BASH_REMATCH[1]}"
+        # checksums.yaml is refreshed from GitHub. Accept quoted or unquoted
+        # YAML scalars, matching install.sh's bootstrap parser.
+        if [[ -n "$current_tool" ]] && [[ "$line" =~ ^[[:space:]]*url:[[:space:]]*(.*)$ ]]; then
+            local url_value="${BASH_REMATCH[1]}"
+            url_value="${url_value%%#*}"
+            url_value="${url_value%"${url_value##*[![:space:]]}"}"
+            url_value="${url_value#"${url_value%%[![:space:]]*}"}"
+            url_value="${url_value%\"}"
+            url_value="${url_value#\"}"
+            url_value="${url_value%\'}"
+            url_value="${url_value#\'}"
+
+            if [[ "$url_value" =~ ^https://[^[:space:]]+$ ]]; then
+                KNOWN_INSTALLERS["$current_tool"]="$url_value"
+            fi
         fi
 
         # Match sha256 value for the current tool.

scripts/lib/update.sh

@@ -2858,8 +2858,17 @@ update_sync_known_installer_urls_from_checksums() {
             fi
         fi
 
-        if [[ -n "$current_tool" ]] && [[ "$line" =~ url:[[:space:]]*\"(https://[^\"]+)\" ]]; then
+        if [[ -n "$current_tool" ]] && [[ "$line" =~ ^[[:space:]]*url:[[:space:]]*(.*)$ ]]; then
             local refreshed_url="${BASH_REMATCH[1]}"
+            refreshed_url="${refreshed_url%%#*}"
+            refreshed_url="${refreshed_url%"${refreshed_url##*[![:space:]]}"}"
+            refreshed_url="${refreshed_url#"${refreshed_url%%[![:space:]]*}"}"
+            refreshed_url="${refreshed_url%\"}"
+            refreshed_url="${refreshed_url#\"}"
+            refreshed_url="${refreshed_url%\'}"
+            refreshed_url="${refreshed_url#\'}"
+            [[ "$refreshed_url" =~ ^https://[^[:space:]]+$ ]] || continue
+
             local previous_url="${KNOWN_INSTALLERS[$current_tool]:-}"
             if [[ "$previous_url" != "$refreshed_url" ]]; then
                 KNOWN_INSTALLERS["$current_tool"]="$refreshed_url"

tests/unit/lib/test_security.bats

@@ -270,15 +270,19 @@ stub_acfs_curl_response() {
     # Need full 64-char sha256 for regex
     local sha1="1111111111111111111111111111111111111111111111111111111111111111"
     local sha2="2222222222222222222222222222222222222222222222222222222222222222"
+    local sha3="3333333333333333333333333333333333333333333333333333333333333333"
 
     cat > "$CHECKSUMS_FILE" <<EOF
 installers:
   tool1:
     url: "https://example.com/1"
     sha256: "$sha1"
   tool2:
-    url: "https://example.com/2"
+    url: 'https://example.com/2'
     sha256: "$sha2"
+  tool3:
+    url: https://example.com/3
+    sha256: "$sha3"
 EOF
 
     echo "DEBUG: CHECKSUMS_FILE=$CHECKSUMS_FILE" >&2
@@ -300,4 +304,12 @@ EOF
     local val2
     val2=$(get_checksum "tool2")
     assert_equal "$val2" "$sha2"
+
+    local val3
+    val3=$(get_checksum "tool3")
+    assert_equal "$val3" "$sha3"
+
+    assert_equal "${KNOWN_INSTALLERS[tool1]}" "https://example.com/1"
+    assert_equal "${KNOWN_INSTALLERS[tool2]}" "https://example.com/2"
+    assert_equal "${KNOWN_INSTALLERS[tool3]}" "https://example.com/3"
 }

tests/unit/lib/test_update.bats

@@ -1744,6 +1744,37 @@ EOF
     assert_output --partial "declare -a"
 }
 
+@test "update_sync_known_installer_urls_from_checksums: accepts quoted and unquoted urls" {
+    local checksums_file
+    checksums_file="$HOME/checksums.yaml"
+
+    cat > "$checksums_file" <<'EOF'
+installers:
+  double_quoted:
+    url: "https://example.com/double.sh"
+    sha256: "2222222222222222222222222222222222222222222222222222222222222222"
+  single_quoted:
+    url: 'https://example.com/single.sh'
+    sha256: "3333333333333333333333333333333333333333333333333333333333333333"
+  unquoted:
+    url: https://example.com/unquoted.sh
+    sha256: "4444444444444444444444444444444444444444444444444444444444444444"
+EOF
+
+    declare -gA KNOWN_INSTALLERS=(
+        [double_quoted]="https://example.invalid/old-double.sh"
+        [single_quoted]="https://example.invalid/old-single.sh"
+        [unquoted]="https://example.invalid/old-unquoted.sh"
+    )
+
+    update_sync_known_installer_urls_from_checksums "$checksums_file"
+    assert_equal "$?" "0"
+
+    assert_equal "${KNOWN_INSTALLERS[double_quoted]}" "https://example.com/double.sh"
+    assert_equal "${KNOWN_INSTALLERS[single_quoted]}" "https://example.com/single.sh"
+    assert_equal "${KNOWN_INSTALLERS[unquoted]}" "https://example.com/unquoted.sh"
+}
+
 @test "install.sh verifier refetches installer when fresh checksums change URL" {
     local installer="$PROJECT_ROOT/install.sh"
     local old_url="https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail/main/install.sh"