Harden client tarball download fallback

[alokedesai]

Description

This PR hardens the client-side SCP fallback tarball download/cache path.

Important base-branch note: the requested cloud base branch origin/aloke/remote_code_errors_new was unavailable (git fetch and GitHub branch API returned not found), so this PR is based on and targets master instead.

Changes:

• Treat response-body read/decode failures and invalid gzip/tar responses as retryable client download failures.
• Use a fresh temp file for every retry attempt, removing failed partial downloads before the next attempt.
• Validate cached tarballs by reading the gzip stream and tar entries instead of accepting any non-empty file.
• Discard invalid cached tarballs and redownload them.
• Add remote_server::transport::Error::ClientDownloadFailed so exhausted client-side downloads are distinguishable from remote-host install/script failures.
• Add focused unit tests for retry cleanup, invalid cache rejection, valid cache reuse, retry exhaustion, and gzip/tar validation.

Diff summary from git diff origin/master..aloke/client-tarball-decode-hardening | cat:

• Cargo.lock
• app/Cargo.toml
• app/src/remote_server/ssh_transport/installation/scp_fallback.rs
• app/src/remote_server/ssh_transport/installation/scp_fallback_tests.rs
• crates/remote_server/src/setup.rs
• crates/remote_server/src/transport.rs
• 6 files changed, 303 insertions(+), 65 deletions(-)

Linked Issue

• The linked issue is labeled ready-to-spec or ready-to-implement.
• Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes).

Testing

• cargo fmt --all
• cargo test -p warp remote_server::ssh_transport::installation::scp_fallback::tests -- --nocapture
  • Result: 5 passed; 0 failed.
  • Visible controlled HTTP evidence included retry logs, invalid-cache discard logs, and valid-cache reuse logs.
• cargo test -p remote_server
  • Result: 71 passed; 0 failed; doc-tests passed.
• cargo clippy -p warp -p remote_server --tests -- -D warnings
  • Result: passed.
• I have manually tested my changes locally with ./script/run
  • Not run: this is a non-UI install-path hardening change validated by focused unit tests and clippy in the cloud environment.

Screenshots / Videos

Computer-use validation observed the focused test command passing with:

• test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured; 4376 filtered out; finished in 0.53s
• Visible logs showing invalid cached tarball discard, valid cached tarball reuse, and retry attempts.

Additional artifact:

• Validation log uploaded as a conversation artifact: validation.log (019e3759-11a0-717b-a831-40c9454a3f44). It contains the focused test output and Docker availability check.

Docker/SSH-container limitation:

• The requested SSH-enabled Linux container repro could not be run because Docker is not installed in this cloud environment (bash: docker: command not found). The closest demonstrable repro/fix artifact is the controlled local HTTP endpoint exercised by the new mockito-backed tests: invalid/truncated tarball bodies are rejected/retried, later valid responses succeed, invalid cache entries are discarded, and repeated invalid responses produce a recognizable client download failure.

Agent Mode

• Warp Agent Mode - This PR was created via Warp's AI Agent Mode

CHANGELOG-BUG-FIX: Harden SSH remote-server SCP fallback downloads against corrupt client-side tarball responses and invalid cached tarballs.

Conversation: https://staging.warp.dev/conversation/0e2319dd-35f8-47ef-8aea-a2df29a2a3a5
Run: https://oz.staging.warp.dev/runs/019e3748-dacd-710a-948c-011597f08232

Co-Authored-By: Oz oz-agent@warp.dev
This PR was generated with Oz.

Additional non-Docker localhost SSH repro

Follow-up validation created a local sshd on port 2222 with a constrained placeholder user so the commands matched Warp's production placeholder@placeholder ControlMaster/SCP shape.

Artifact evidence:

• Non-Docker SSH repro log: non_docker_ssh_repro.log (019e37c2-783c-76bd-9942-a9e6c68a4111).
• Repro script: run_repro.sh (019e37c2-7a2a-7b38-a1e8-083f076744ab).

Observed flow:

• Localhost SSH ControlMaster ran as placeholder on Linux x86_64 with /usr/bin/curl and /usr/bin/tar available.
• Fake HTTP endpoint request 1 returned a truncated tarball body (73 of 219 bytes), causing direct remote install to fail as expected with curl: (18) transfer closed with 146 bytes remaining to read.
• Client fallback download from the same fake endpoint received request 2's full body (219 bytes), and tar -tzf listed oz (client_download_validation=tar_list_ok).
• The validated tarball was uploaded over SCP through the same ControlMaster path, installed using the staged-tarball install script path, and verified with ~/.warp-dev/remote-server/warp-oss --version returning warp-oss fake remote server v1.

Computer-use validation also observed the saved log and confirmed the truncated-first/full-second request sequence plus staged install success.