Duplicate Code Opportunity
Summary
- Pattern: The security-critical sequence —
cleanup_and_exit signal handler definition, trap, background-launch of the agent, one-shot-token polling loop, unset_sensitive_tokens, wait, exit-code capture — is copy-pasted verbatim in both the chroot execution path and the non-chroot (container-only) execution path. Only the actual command launched in the background differs.
- Locations:
containers/agent/entrypoint.sh lines 841–876 (chroot path) and 908–943 (non-chroot path)
- Impact: ~35 duplicated lines; security-sensitive token-clearing and signal-handling logic lives in two separate places
Evidence
Copy 1 — chroot path (lines 841–876):
cleanup_and_exit() {
if [ -n "$AGENT_PID" ]; then
kill -TERM "$AGENT_PID" 2>/dev/null || true
wait "$AGENT_PID" 2>/dev/null || true
fi
exit 143 # Standard exit code for SIGTERM
}
trap cleanup_and_exit TERM INT
# SECURITY: Run agent command in background, then unset tokens from parent shell
chroot /host /bin/bash -c "..." &
AGENT_PID=$!
# Wait for agent to initialize and cache tokens (up to 1 second)
for _i in 1 2 3 4 5 6 7 8 9 10; do
kill -0 "$AGENT_PID" 2>/dev/null || break
sleep 0.1
done
unset_sensitive_tokens
wait $AGENT_PID
EXIT_CODE=$?
trap - TERM INT
exit $EXIT_CODECopy 2 — non-chroot path (lines 908–943):
Identical except the background command is capsh ... gosu awfuser "$@" / gosu awfuser "$@" instead of the chroot invocation.
Suggested Refactoring
Extract a shell function run_agent_with_token_protection that accepts the launch command as arguments:
run_agent_with_token_protection() {
# $@ = the command to run in the background
cleanup_and_exit() {
if [ -n "$AGENT_PID" ]; then
kill -TERM "$AGENT_PID" 2>/dev/null || true
wait "$AGENT_PID" 2>/dev/null || true
fi
exit 143
}
trap cleanup_and_exit TERM INT
"$@" &
AGENT_PID=$!
for _i in 1 2 3 4 5 6 7 8 9 10; do
kill -0 "$AGENT_PID" 2>/dev/null || break
sleep 0.1
done
unset_sensitive_tokens
wait $AGENT_PID
EXIT_CODE=$?
trap - TERM INT
exit $EXIT_CODE
}Then at each call site:
# chroot path
run_agent_with_token_protection chroot /host /bin/bash -c "..."
# non-chroot path
if [ -n "$CAPS_TO_DROP" ]; then
run_agent_with_token_protection capsh --drop=$CAPS_TO_DROP -- -c "exec gosu awfuser $(printf '%q ' "$@")"
else
run_agent_with_token_protection gosu awfuser "$@"
fi
This ensures any future changes to signal handling or token-clearing policy (security-sensitive) are made once.
Affected Files
containers/agent/entrypoint.sh — lines 841–876 and 908–943
Effort Estimate
Low
Detected by Duplicate Code Detector workflow. Run date: 2026-05-05
Generated by Duplicate Code Detector · ● 594.5K · ◷
Duplicate Code Opportunity
Summary
cleanup_and_exitsignal handler definition,trap, background-launch of the agent, one-shot-token polling loop,unset_sensitive_tokens,wait, exit-code capture — is copy-pasted verbatim in both the chroot execution path and the non-chroot (container-only) execution path. Only the actual command launched in the background differs.containers/agent/entrypoint.shlines 841–876 (chroot path) and 908–943 (non-chroot path)Evidence
Copy 1 — chroot path (lines 841–876):
Copy 2 — non-chroot path (lines 908–943):
Identical except the background command is
capsh ... gosu awfuser "$@"/gosu awfuser "$@"instead of thechrootinvocation.Suggested Refactoring
Extract a shell function
run_agent_with_token_protectionthat accepts the launch command as arguments:Then at each call site:
This ensures any future changes to signal handling or token-clearing policy (security-sensitive) are made once.
Affected Files
containers/agent/entrypoint.sh— lines 841–876 and 908–943Effort Estimate
Low
Detected by Duplicate Code Detector workflow. Run date: 2026-05-05