From bbaccd678d5bda6129fe665f275b6793ccb3ac7a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 16 Apr 2026 18:36:42 +0000
Subject: [PATCH 1/3] fix: entrypoint: validate_projects_dir silently exits
 instead of logging FATAL under set -eo pipefail (#877)

`compgen -G ... | wc -l` under `set -eo pipefail` aborts the script on
the non-zero pipeline exit (compgen returns 1 on no match) before the
FATAL diagnostic branch can run. The container still fast-fails, but
operators saw no explanation.

Switch to the conditional `if ! compgen -G ... >/dev/null 2>&1; then`
pattern already used at the two other compgen call sites in this file
(bootstrap_factory_repo and the PROJECT_NAME parser). The count for the
success-path log is computed after we've confirmed at least one match.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/agents/entrypoint.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docker/agents/entrypoint.sh b/docker/agents/entrypoint.sh
index 89a520b..f838c15 100644
--- a/docker/agents/entrypoint.sh
+++ b/docker/agents/entrypoint.sh
@@ -346,15 +346,19 @@ bootstrap_factory_repo
 # This prevents the silent-zombie mode where the polling loop matches zero files
 # and does nothing forever.
 validate_projects_dir() {
-  local toml_count
-  toml_count=$(compgen -G "${DISINTO_DIR}/projects/*.toml" 2>/dev/null | wc -l)
-  if [ "$toml_count" -eq 0 ]; then
+  # NOTE: compgen -G exits non-zero when no matches exist, so piping it through
+  # `wc -l` under `set -eo pipefail` aborts the script before the FATAL branch
+  # can log a diagnostic (#877).  Use the conditional form already adopted at
+  # lines above (see bootstrap_factory_repo, PROJECT_NAME parsing).
+  if ! compgen -G "${DISINTO_DIR}/projects/*.toml" >/dev/null 2>&1; then
     log "FATAL: No real .toml files found in ${DISINTO_DIR}/projects/"
     log "Expected at least one project config file (e.g., disinto.toml)"
     log "The directory only contains *.toml.example template files."
     log "Mount the host ./projects volume or copy real .toml files into the container."
     exit 1
   fi
+  local toml_count
+  toml_count=$(compgen -G "${DISINTO_DIR}/projects/*.toml" | wc -l)
   log "Projects directory validated: ${toml_count} real .toml file(s) found"
 }
 

From f1f60e555c7a44ea43f12fcd2d6ebbce6d50fb57 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Thu, 16 Apr 2026 18:21:41 +0000
Subject: [PATCH 2/3] fix: fix: vault_request RETURN trap fires prematurely
 when vault-env.sh is sourced (#773)

---
 lib/action-vault.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/action-vault.sh b/lib/action-vault.sh
index 6348cc6..7bed943 100644
--- a/lib/action-vault.sh
+++ b/lib/action-vault.sh
@@ -128,7 +128,6 @@ vault_request() {
   # Validate TOML content
   local tmp_toml
   tmp_toml=$(mktemp /tmp/vault-XXXXXX.toml)
-  trap 'rm -f "$tmp_toml"' RETURN
 
   printf '%s' "$toml_content" > "$tmp_toml"
 
@@ -150,6 +149,9 @@ vault_request() {
   # Restore caller's FORGE_TOKEN after validation
   FORGE_TOKEN="${_saved_forge_token:-}"
 
+  # Set trap AFTER sourcing vault-env.sh to avoid RETURN trap firing during source
+  trap 'rm -f "$tmp_toml"' RETURN
+
   # Run validation
   if ! validate_vault_action "$tmp_toml"; then
     echo "ERROR: TOML validation failed" >&2

From 96870d9f3035697194cb123abdb75e10d430ed42 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Thu, 16 Apr 2026 18:21:41 +0000
Subject: [PATCH 3/3] fix: fix: vault_request RETURN trap fires prematurely
 when vault-env.sh is sourced (#773)

---
 lib/action-vault.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/action-vault.sh b/lib/action-vault.sh
index 6348cc6..7602a39 100644
--- a/lib/action-vault.sh
+++ b/lib/action-vault.sh
@@ -128,7 +128,6 @@ vault_request() {
   # Validate TOML content
   local tmp_toml
   tmp_toml=$(mktemp /tmp/vault-XXXXXX.toml)
-  trap 'rm -f "$tmp_toml"' RETURN
 
   printf '%s' "$toml_content" > "$tmp_toml"
 
@@ -136,6 +135,7 @@ vault_request() {
   local vault_env="${FACTORY_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}/action-vault/vault-env.sh"
   if [ ! -f "$vault_env" ]; then
     echo "ERROR: vault-env.sh not found at $vault_env" >&2
+    rm -f "$tmp_toml"
     return 1
   fi
 
@@ -145,11 +145,15 @@ vault_request() {
   if ! source "$vault_env"; then
     FORGE_TOKEN="${_saved_forge_token:-}"
     echo "ERROR: failed to source vault-env.sh" >&2
+    rm -f "$tmp_toml"
     return 1
   fi
   # Restore caller's FORGE_TOKEN after validation
   FORGE_TOKEN="${_saved_forge_token:-}"
 
+  # Set trap AFTER sourcing vault-env.sh to avoid RETURN trap firing during source
+  trap 'rm -f "$tmp_toml"' RETURN
+
   # Run validation
   if ! validate_vault_action "$tmp_toml"; then
     echo "ERROR: TOML validation failed" >&2