Encryption key generation failure in web export

.github/scripts/inject_ci_flag.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+"""
+Infrastructure utility for Godot 4 Web exports.
+
+This script modifies 'export_presets.cfg' to inject a custom 'ci' feature flag.
+"""
+
+import re
+import shutil
+import sys
+from pathlib import Path
+
+# Force UTF-8 encoding for stdout to prevent crashes on Windows legacy terminals.
+# Safely fallback to "" if stdout is redirected (e.g., in CI) and encoding is None.
+stdout_enc = sys.stdout.encoding or ""
+if stdout_enc.lower() != "utf-8":
+    try:
+        sys.stdout.reconfigure(encoding="utf-8")
+    except Exception:
+        # Proceed safely if reconfigure is unsupported in the current piped environment
+        pass
+
+
+def inject_ci_flag():
+    """
+    Parses export_presets.cfg and injects the 'ci' flag into custom_features.
+    Uses a 'Strip and Append' strategy to safely handle multiple presets.
+    """
+    config_path = Path("export_presets.cfg")
+    backup_path = Path("export_presets.cfg.bak")
+
+    try:
+        if config_path.exists():
+            if not backup_path.exists():
+                shutil.copy2(config_path, backup_path)
+        else:
+            print(
+                f"❌ ERROR: {config_path} not found. Ensure you are in the project root."
+            )
+            sys.exit(1)
+
+        data = config_path.read_text(encoding="utf-8")
+
+        # 1. Strip out ANY existing custom_features lines to ensure a clean slate.
+        updated_data = re.sub(r"(?m)^custom_features=.*\r?\n?", "", data)
+
+        # 2. Inject the 'ci' flag directly under EVERY root preset header.
+        # This matches [preset.0], [preset.1] etc., but explicitly avoids [preset.0.options]
+        updated_data = re.sub(
+            r"(?m)^(\[preset\.\d+\])\s*$", r'\1\ncustom_features="ci"', updated_data
+        )
+
+        config_path.write_text(updated_data, encoding="utf-8")
+
+        print("✅ Successfully injected 'ci' feature flag into export_presets.cfg")
+
+    except Exception as e:
+        try:
+            print(f"❌ Failed to inject 'ci' flag: {e}")
+        except UnicodeEncodeError:
+            print(f"Failed to inject 'ci' flag (encoding error in logs): {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    inject_ci_flag()

.github/scripts/inject_salt.sh

@@ -1,53 +1,39 @@
 #!/bin/bash
+# .github/scripts/inject_salt.sh
 
-# $1 is the filename passed from Python (e.g., "dummy.godot")
 TARGET_FILE="$1"
 
 if [ -z "$TARGET_FILE" ]; then
-    echo "Error: No file path provided."
+    echo "❌ ERROR: No target file provided."
     exit 1
 fi
 
-awk '
-BEGIN {
-  salt = ENVIRON["SALT"]
-  in_game = 0
-  salt_written = 0
-  saw_game_section = 0
-}
-{
-  if ($0 ~ /^\[game\]/) {
-    in_game = 1
-    saw_game_section = 1
-    print
-    next
-  } else if ($0 ~ /^\[/ && $0 !~ /^\[game\]/) {
-    if (in_game && !salt_written) {
-      print "security/save_salt=\"" salt "\""
-      salt_written = 1
-    }
-    in_game = 0
-    print
-    next
-  }
-  if (in_game && $0 ~ /^[[:space:]]*security\/save_salt[[:space:]]*=/) {
-    if (!salt_written) {
-      print "security/save_salt=\"" salt "\""
-      salt_written = 1
-    }
-    next
-  }
-  print
-}
-END {
-  if (in_game && !salt_written) {
-    print "security/save_salt=\"" salt "\""
-    salt_written = 1
-  }
-  if (!saw_game_section) {
-    if (NR > 0) { print "" }
-    print "[game]"
-    print "security/save_salt=\"" salt "\""
-  }
+if [ ! -f "$TARGET_FILE" ]; then
+    echo "❌ ERROR: Target file '$TARGET_FILE' does not exist."
+    exit 1
+fi
+
+if [ -z "$PRODUCTION_SALT" ]; then
+    echo "❌ ERROR: PRODUCTION_SALT environment variable is not set."
+    exit 1
+fi
+
+echo "⚙️ Injecting secret into $TARGET_FILE..."
+
+# 1. Escape for Godot's parser
+GODOT_ESCAPED=$(printf '%s' "$PRODUCTION_SALT" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+# 2. Escape for sed replacement string
+SED_ESCAPED=$(printf '%s' "$GODOT_ESCAPED" | sed 's/\\/\\\\/g; s/&/\\&/g; s/|/\\|/g')
+
+# Cross-platform sed for in-place editing (macOS vs Linux)
+sedi() {
+  if [ "$(uname)" = "Darwin" ]; then
+    sed -i '' "$@"
+  else
+    sed -i "$@"
+  fi
 }
-' "$TARGET_FILE" > "${TARGET_FILE}.tmp" && mv "${TARGET_FILE}.tmp" "$TARGET_FILE"
+
+# 3. Replace the safe placeholder with the real secret
+sedi "s|\"CI_INJECT_SALT_HERE\"|\"$SED_ESCAPED\"|g" "$TARGET_FILE"

.github/workflows/browser_test.yml

@@ -23,14 +23,21 @@
     steps:
       - uses: "actions/[email protected]"
 
-      - name: "Inject Test Salt"
-        # Ensures Godot headless export doesn't strip the property, keeping encryption active for tests
+      - name: "Disable Editor Plugins (Prevent Headless Crash)"
         run: |
-          if ! grep -q '\[game\]' project.godot; then
-            printf '\n[game]\nsecurity/save_salt="test_salt_12345"\n' >> project.godot
-          else
-            sed -i '/^\[game\]/a security/save_salt="test_salt_12345"' project.godot
-          fi
+          # Prevents Signal 11 crashes during headless export on Ubuntu runners
+          sed -i '/^\[editor_plugins\]/,/^\[/ s/^enabled=PackedStringArray.*/enabled=PackedStringArray()/' project.godot
+
+      - name: "Inject Test Salt into GDScript"
+        env:
+          PRODUCTION_SALT: "playwright_dummy_salt_123"
+        run: |
+          # Executes the Single Source of Truth script
+          bash ./.github/scripts/inject_salt.sh "scripts/core/globals.gd"
+
+      - name: "Inject 'ci' feature flag into export_presets.cfg"
+        run: |
+          python3 .github/scripts/inject_ci_flag.py
 
       - name: "Create Export Directories"
         run: |
@@ -40,19 +47,19 @@
         id: "export"
         uses: "firebelley/godot-export@930577654862a320eef793f399ee911b4479efb9"
         with:
           godot_executable_download_url: "https://github.com/godotengine/godot/releases/download/4.5-stable/Godot_v4.5-stable_linux.x86_64.zip"
           godot_export_templates_download_url: "https://github.com/godotengine/godot/releases/download/4.5-stable/Godot_v4.5-stable_export_templates.tpz"
           relative_project_path: "./"
           relative_export_path: "./export/web_thread_off"
           archive_output: false
           cache: false
           verbose: true
           presets_to_export: "Web_thread_off"
           use_preset_export_path: true  # Move exports to the directory defined in export_presets.cfg
 
       - name: "Flatten Export Directory"
         run: |
           bash ./.github/scripts/flatten_export.sh "export/web_thread_off" "Web_thread_off"
 
       - name: "List Export Directory Contents"
         run: |
@@ -69,12 +76,12 @@
 
       - name: "Cache PIP Dependencies"
         uses: "actions/cache@v5"
         id: cache
         with:
           path: "~/.cache/pip"
           # FIX: Added '-v2' to invalidate the old corrupted cache
           key: ${{ runner.os }}-pip-v2-${{ hashFiles('requirements.txt') }}
           restore-keys: ${{ runner.os }}-pip-v2-
 
       - name: "Install Playwright"
         run: |
@@ -83,9 +90,9 @@
 
       - name: "Cache Playwright Browsers"
         uses: "actions/cache@v5"
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
           # FIX: Added '-v2-' to force GitHub to build a brand new, healthy cache
           key: ${{ runner.os }}-playwright-v2-${{ hashFiles('**/requirements.txt') }}
           restore-keys: ${{ runner.os }}-playwright-v2-
@@ -93,11 +100,26 @@
       - name: "Install Playwright Browsers"
         if: steps.playwright-cache.outputs.cache-hit != 'true'
         run: |
-          playwright install --with-deps chromium
+            playwright install --with-deps chromium
 
-      - name: "Start WEB Server"
+      - name: "Start Security-Isolated HTTP Server"
         run: |
-          python -m http.server 8080 --directory export/web_thread_off &
+            python3 -c "
+            import http.server, socketserver, os
+            class MyHandler(http.server.SimpleHTTPRequestHandler):
+                def end_headers(self):
+                    self.send_header('Cross-Origin-Opener-Policy', 'same-origin')
+                    self.send_header('Cross-Origin-Embedder-Policy', 'require-corp')
+                    self.send_header('Cache-Control', 'no-store, no-cache, must-revalidate')
+                    super().end_headers()
+            socketserver.TCPServer.allow_reuse_address = True
+            with socketserver.TCPServer(('', 8080), MyHandler) as httpd:
+                os.chdir('export/web_thread_off')
+                print('🚀 Security-isolated server starting on port 8080...')
+                httpd.serve_forever()
+            " &
+            sleep 5
+            curl -I http://localhost:8080/index.html
 
       - name: "Wait For WEB Server Response"
         run: |
@@ -112,7 +134,7 @@
 
       - name: "Run Tests"
         run: |
-          PYTHONPATH="$PWD/tests:$PYTHONPATH" pytest tests/ -v --ignore=tests/refactor --junitxml=junit.xml -o junit_family=legacy
+          PYTHONPATH="$PWD/tests:$PYTHONPATH" pytest tests/ -v --ignore=tests/refactor --ignore=tests/ci --junitxml=junit.xml -o junit_family=legacy
 
       - name: "List Coverage Reports"
         run: |

.github/workflows/deploy_to_itch.yml

@@ -36,56 +36,16 @@ jobs:
             printf '\n[application]\nconfig/version="%s"\n' "$ESCAPED_VERSION" >> project.godot
           fi
 
-      - name: "Inject Production Salt into project.godot"
-        env:
-          RAW_SECRET: ${{ secrets.PRODUCTION_SALT }}
+      - name: "Disable Editor Plugins (Prevent Headless Crash)"
         run: |
-            # 1. Escape backslashes and quotes for Godot's config format[cite: 14]
-            ESCAPED_SALT=$(printf '%s' "$RAW_SECRET" | sed 's/\\/\\\\/g; s/"/\\"/g')
-            # 2. Use a section-aware awk script to update security/save_salt[cite: 14]
-            # Pass the salt directly into awk to avoid broad environment exposure[cite: 14]
-            awk -v salt="$ESCAPED_SALT" '
-              BEGIN {
-                in_game = 0
-                salt_written = 0
-                saw_game_section = 0
-              }
-              {
-                if ($0 ~ /^\[game\]/) {
-                  in_game = 1
-                  saw_game_section = 1
-                  print
-                  next
-                } else if ($0 ~ /^\[/ && $0 !~ /^\[game\]/) {
-                  if (in_game && !salt_written) {
-                    print "security/save_salt=\"" salt "\""
-                    salt_written = 1
-                  }
-                  in_game = 0
-                  print
-                  next
-                }
-                if (in_game && $0 ~ /^[[:space:]]*security\/save_salt[[:space:]]*=/) {
-                  if (!salt_written) {
-                    print "security/save_salt=\"" salt "\""
-                    salt_written = 1
-                  }
-                  next
-                }
-                print
-              }
-              END {
-                if (in_game && !salt_written) {
-                  print "security/save_salt=\"" salt "\""
-                  salt_written = 1
-                }
-                if (!saw_game_section) {
-                  if (NR > 0) { print "" }
-                  print "[game]"
-                  print "security/save_salt=\"" salt "\""
-                }
-              }
-            ' project.godot > project.godot.tmp && mv project.godot.tmp project.godot
+          # Prevents Signal 11 crashes during headless export on Ubuntu runners
+          # Section-aware: Only targets the enabled array inside [editor_plugins]
+          sed -i '/^\[editor_plugins\]/,/^\[/ s/^enabled=PackedStringArray.*/enabled=PackedStringArray()/' project.godot
+
+      - name: "Inject Production Salt into GDScript"
+        env:
+          PRODUCTION_SALT: ${{ secrets.PRODUCTION_SALT }}
+        run: bash ./.github/scripts/inject_salt.sh "scripts/core/globals.gd"
 
       - name: "Create Export Directories"
         run: mkdir -p export/web

.github/workflows/lint_readme.yml

@@ -21,7 +21,7 @@ jobs:
         # Lints Markdown for formatting/spelling
         # Pinned to SHA for security (was @v19)
         # yamllint disable rule:line-length
-        uses: "DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9"
+        uses: "DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd"
         # yamllint enable rule:line-length
         with:
           config: ".markdownlint-cli2.yaml"

.github/workflows/release_drafter.yml

@@ -26,7 +26,7 @@ jobs:
       tag_name: "${{ steps.drafter.outputs.tag_name }}"  # Expose from step
     steps:
       # yamllint disable-line rule:line-length
-      - uses: "release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32"
+      - uses: "release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927"
         id: drafter  # Add ID to access outputs
         with:
           config-name: "release-drafter.yml"  # Explicitly point to your config

.github/workflows/release_drafter_pr.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       # yamllint disable-line rule:line-length
-      - uses: "release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32"
+      - uses: "release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927"
         with:
           config-name: "release-drafter.yml"  # Your existing config
         env:

.github/workflows/test_ci_scripts.yml

@@ -18,6 +18,11 @@ jobs:
         with:
           python-version: "3.12"
 
-      - name: "Run Salt Injection Test"
+      - name: "Install Dependencies"
         run: |
-          python tests/ci/test_salt_injection.py
+          python -m pip install --upgrade pip
+          pip install pytest playwright
+
+      - name: "Run CI Injection Tests"
+        run: |
+          pytest tests/ci/ -v -s

project.godot

@@ -50,11 +50,11 @@ window/vsync/vsync_mode=0
 
 [editor_plugins]
 
-enabled=PackedStringArray("res://addons/ai_autonomous_agent/plugin.cfg", "res://addons/gut/plugin.cfg")
+enabled=PackedStringArray("res://addons/gut/plugin.cfg")
 
 [game]
 
-security/save_salt=""
+security/save_salt="dev_fallback_salt"
 
 [gdunit4]
 

requirements.txt

@@ -31,4 +31,4 @@ setuptools==80.10.2
 six==1.17.0
 text-unidecode==1.3
 typing_extensions==4.15.0
-urllib3==2.6.3
+urllib3==2.7.0