From b4556a55828bdb8499e136cb08bbcf3ab25c1f16 Mon Sep 17 00:00:00 2001
From: Aditya Garud <garudaditya079@gmail.com>
Date: Sun, 26 Apr 2026 16:23:59 +0530
Subject: [PATCH] feat(orchestrator): add --skip-binary-integrity for
 system-package installs

---
 apps/orchestrator/README.md  |  5 +++++
 apps/orchestrator/src/cli.ts | 39 ++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/apps/orchestrator/README.md b/apps/orchestrator/README.md
index 5713c9278..9a28ae355 100644
--- a/apps/orchestrator/README.md
+++ b/apps/orchestrator/README.md
@@ -42,6 +42,11 @@ OpenCode Router is optional. If it exits, `openwork` continues running unless yo
 For development overrides only, set `OPENWORK_ALLOW_EXTERNAL=1` or pass `--allow-external` to use
 locally installed `openwork-server` or `opencode-router` binaries.
 
+System-package distributions (e.g. AUR) that rebuild sidecar binaries locally cannot match the
+upstream-bundled SHA-256 manifest. Pass `--skip-binary-integrity` (or set
+`OPENWORK_SKIP_BINARY_INTEGRITY=1`) to bypass the integrity check. This is intended for trusted
+system-package installs only — leave it off for default downloads.
+
 Add `--verbose` (or `OPENWORK_VERBOSE=1`) to print extra diagnostics about resolved binaries.
 
 OpenCode hot reload is enabled by default when launched via `openwork`.
diff --git a/apps/orchestrator/src/cli.ts b/apps/orchestrator/src/cli.ts
index 5dfb2aa88..cdf142564 100644
--- a/apps/orchestrator/src/cli.ts
+++ b/apps/orchestrator/src/cli.ts
@@ -2116,11 +2116,19 @@ async function sha256File(path: string): Promise<string> {
   return createHash("sha256").update(data).digest("hex");
 }
 
+function shouldSkipBinaryIntegrity(): boolean {
+  const raw = (process.env.OPENWORK_SKIP_BINARY_INTEGRITY ?? "")
+    .trim()
+    .toLowerCase();
+  return raw === "1" || raw === "true" || raw === "yes";
+}
+
 async function verifyBinary(
   path: string,
   expected?: VersionInfo,
 ): Promise<void> {
   if (!expected) return;
+  if (shouldSkipBinaryIntegrity()) return;
   const hash = await sha256File(path);
   if (hash !== expected.sha256) {
     throw new Error(`Integrity check failed for ${path}`);
@@ -3640,6 +3648,7 @@ function printHelp(): void {
     "  --no-opencode-router             Disable opencodeRouter sidecar",
     "  --opencode-router-required       Exit if opencodeRouter stops",
     "  --allow-external          Allow external sidecar binaries (dev only, required for custom bins)",
+    "  --skip-binary-integrity   Skip SHA-256 integrity checks on sidecar binaries (for system-package installs)",
     "  --sidecar-dir <path>      Cache directory for downloaded sidecars",
     "  --sidecar-base-url <url>  Base URL for sidecar downloads",
     "  --sidecar-manifest <url>  Override sidecar manifest URL",
@@ -5554,6 +5563,15 @@ async function spawnRouterDaemon(
     false,
     "OPENWORK_ALLOW_EXTERNAL",
   );
+  const skipBinaryIntegrity = readBool(
+    args.flags,
+    "skip-binary-integrity",
+    false,
+    "OPENWORK_SKIP_BINARY_INTEGRITY",
+  );
+  if (skipBinaryIntegrity) {
+    process.env.OPENWORK_SKIP_BINARY_INTEGRITY = "1";
+  }
   const sidecarSource =
     readFlag(args.flags, "sidecar-source") ??
     process.env.OPENWORK_SIDECAR_SOURCE;
@@ -5583,6 +5601,7 @@ async function spawnRouterDaemon(
     );
   if (corsValue) commandArgs.push("--cors", corsValue);
   if (allowExternal) commandArgs.push("--allow-external");
+  if (skipBinaryIntegrity) commandArgs.push("--skip-binary-integrity");
   if (sidecarSource) commandArgs.push("--sidecar-source", sidecarSource);
   if (opencodeSource) commandArgs.push("--opencode-source", opencodeSource);
   if (verbose) commandArgs.push("--verbose");
@@ -5909,6 +5928,16 @@ async function runRouterDaemon(args: ParsedArgs) {
     false,
     "OPENWORK_ALLOW_EXTERNAL",
   );
+  if (
+    readBool(
+      args.flags,
+      "skip-binary-integrity",
+      false,
+      "OPENWORK_SKIP_BINARY_INTEGRITY",
+    )
+  ) {
+    process.env.OPENWORK_SKIP_BINARY_INTEGRITY = "1";
+  }
   const manifest = await readVersionManifest();
   logVerbose(`cli version: ${cliVersion}`);
   logVerbose(`sidecar target: ${sidecar.target ?? "unknown"}`);
@@ -7002,6 +7031,16 @@ async function runStart(args: ParsedArgs) {
     false,
     "OPENWORK_ALLOW_EXTERNAL",
   );
+  if (
+    readBool(
+      args.flags,
+      "skip-binary-integrity",
+      false,
+      "OPENWORK_SKIP_BINARY_INTEGRITY",
+    )
+  ) {
+    process.env.OPENWORK_SKIP_BINARY_INTEGRITY = "1";
+  }
   const sidecarTarget = resolveSandboxSidecarTarget(sandboxMode);
   const sidecar = resolveSidecarConfigForTarget(
     args.flags,