From cd115a51a30904eb68d375693428864478acb0e4 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 10 Apr 2026 19:26:41 +0000
Subject: [PATCH] fix: edge control critical bugs - .env dedup,
 authorized_keys, Caddy routes

- Fix .env write in edge register to use single grep -Ev + mv pattern (not three-pass append)
- Fix register.sh to source authorized_keys.sh and call rebuild_authorized_keys directly
- Fix caddy.sh remove_route to use jq to find route index by host match
- Fix authorized_keys.sh operator precedence: { [ -z ] || [ -z ]; } && continue
- Fix install.sh Caddyfile to use { admin localhost:2019 } global options
- Fix deregister and status SSH to use StrictHostKeyChecking=accept-new
---
 bin/disinto                               | 11 ++++-------
 tools/edge-control/install.sh             |  7 ++-----
 tools/edge-control/lib/authorized_keys.sh |  2 +-
 tools/edge-control/lib/caddy.sh           | 15 ++++-----------
 tools/edge-control/register.sh            |  5 +++--
 5 files changed, 14 insertions(+), 26 deletions(-)

diff --git a/bin/disinto b/bin/disinto
index c9f1845..ffc9a26 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -1715,11 +1715,8 @@ disinto_edge() {
       # Write to .env (replace existing entries to avoid duplicates)
       local tmp_env
       tmp_env=$(mktemp)
-      grep -v "^EDGE_TUNNEL_HOST=" "$env_file" > "$tmp_env" 2>/dev/null || true
-      grep -v "^EDGE_TUNNEL_PORT=" "$env_file" >> "$tmp_env" 2>/dev/null || true
-      grep -v "^EDGE_TUNNEL_FQDN=" "$env_file" >> "$tmp_env" 2>/dev/null || true
-      cat "$tmp_env" > "$env_file"
-      rm -f "$tmp_env"
+      grep -Ev "^EDGE_TUNNEL_(HOST|PORT|FQDN)=" "$env_file" > "$tmp_env" 2>/dev/null || true
+      mv "$tmp_env" "$env_file"
       echo "EDGE_TUNNEL_HOST=${edge_host}" >> "$env_file"
       echo "EDGE_TUNNEL_PORT=${port}" >> "$env_file"
       echo "EDGE_TUNNEL_FQDN=${fqdn}" >> "$env_file"
@@ -1763,7 +1760,7 @@ disinto_edge() {
       # SSH to edge host and deregister
       echo "Deregistering tunnel for ${project} on ${edge_host}..."
       local response
-      response=$(ssh -o StrictHostKeyChecking=no -o BatchMode=yes \
+      response=$(ssh -o StrictHostKeyChecking=accept-new -o BatchMode=yes \
         "disinto-register@${edge_host}" \
         "deregister ${project}" 2>&1) || {
         echo "Error: failed to deregister tunnel" >&2
@@ -1804,7 +1801,7 @@ disinto_edge() {
       # SSH to edge host and get status
       echo "Checking tunnel status on ${edge_host}..."
       local response
-      response=$(ssh -o StrictHostKeyChecking=no -o BatchMode=yes \
+      response=$(ssh -o StrictHostKeyChecking=accept-new -o BatchMode=yes \
         "disinto-register@${edge_host}" \
         "list" 2>&1) || {
         echo "Error: failed to get status" >&2
diff --git a/tools/edge-control/install.sh b/tools/edge-control/install.sh
index b525d3e..d206e7b 100755
--- a/tools/edge-control/install.sh
+++ b/tools/edge-control/install.sh
@@ -230,11 +230,8 @@ cat > "$CADDYFILE" <<EOF
 # Caddy configuration for edge control plane
 # Admin API enabled on 127.0.0.1:2019
 
-:2019 {
-  @admin {
-    header Host 127.0.0.1
-  }
-  respond @admin "Caddy admin API" 200
+{
+  admin localhost:2019
 }
 
 # Default site (reverse proxy for edge tunnels will be added dynamically)
diff --git a/tools/edge-control/lib/authorized_keys.sh b/tools/edge-control/lib/authorized_keys.sh
index e0f1175..5ba32d6 100755
--- a/tools/edge-control/lib/authorized_keys.sh
+++ b/tools/edge-control/lib/authorized_keys.sh
@@ -49,7 +49,7 @@ generate_authorized_keys_content() {
     pubkey=$(echo "$line" | jq -r '.pubkey')
 
     # Skip if missing required fields
-    [ -z "$port" ] || [ -z "$pubkey" ] && continue
+    { [ -z "$port" ] || [ -z "$pubkey" ]; } && continue
 
     # Build the authorized_keys line
     # Format: restrict,port-forwarding,permitlisten="127.0.0.1:<port>",command="/bin/false" <key-type> <key>
diff --git a/tools/edge-control/lib/caddy.sh b/tools/edge-control/lib/caddy.sh
index 92bc01e..0bfe307 100755
--- a/tools/edge-control/lib/caddy.sh
+++ b/tools/edge-control/lib/caddy.sh
@@ -85,18 +85,11 @@ remove_route() {
     return 1
   }
 
-  # Find the route index that matches our fqdn
-  local route_index=-1
-  local idx=0
-  while IFS= read -r host; do
-    if [ "$host" = "$fqdn" ]; then
-      route_index=$idx
-      break
-    fi
-    idx=$((idx + 1))
-  done < <(echo "$routes_json" | jq -r '.[].match[].host[]' 2>/dev/null)
+  # Find the route index that matches our fqdn using jq
+  local route_index
+  route_index=$(echo "$routes_json" | jq -r "to_entries[] | select(.value.match[]?.host[]? == \"${fqdn}\") | .key" 2>/dev/null | head -1)
 
-  if [ "$route_index" -lt 0 ]; then
+  if [ -z "$route_index" ] || [ "$route_index" = "null" ]; then
     echo "Warning: route for ${fqdn} not found" >&2
     return 0
   fi
diff --git a/tools/edge-control/register.sh b/tools/edge-control/register.sh
index 3bd3c8c..75624ee 100755
--- a/tools/edge-control/register.sh
+++ b/tools/edge-control/register.sh
@@ -20,6 +20,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Source libraries
 source "${SCRIPT_DIR}/lib/ports.sh"
 source "${SCRIPT_DIR}/lib/caddy.sh"
+source "${SCRIPT_DIR}/lib/authorized_keys.sh"
 
 # Domain suffix
 DOMAIN_SUFFIX="${DOMAIN_SUFFIX:-disinto.ai}"
@@ -77,7 +78,7 @@ do_register() {
   add_route "$project" "$port"
 
   # Rebuild authorized_keys for tunnel user
-  "${SCRIPT_DIR}/lib/authorized_keys.sh" rebuild_authorized_keys
+  rebuild_authorized_keys
 
   # Reload Caddy
   reload_caddy
@@ -107,7 +108,7 @@ do_deregister() {
   remove_route "$project"
 
   # Rebuild authorized_keys for tunnel user
-  "${SCRIPT_DIR}/lib/authorized_keys.sh" rebuild_authorized_keys
+  rebuild_authorized_keys
 
   # Reload Caddy
   reload_caddy