From 4f99a7a26a979984149e2cfd84ba0c444d0c00c3 Mon Sep 17 00:00:00 2001 From: openhands Date: Tue, 24 Mar 2026 20:36:55 +0000 Subject: [PATCH] fix: Clean up decrypted secrets on failure, verify Claude CLI install (#618) Add EXIT trap in disinto_up() so the plaintext .env is removed even if docker compose up fails. Previously set -euo pipefail would abort before the cleanup block, leaving secrets on disk. Replace the silent || true in the Dockerfile with an explicit claude --version check so the build fails visibly if the CLI cannot be installed. Co-Authored-By: Claude Opus 4.6 (1M context) --- bin/disinto | 3 ++- docker/agents/Dockerfile | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/bin/disinto b/bin/disinto index bbe6d43..5487d75 100755 --- a/bin/disinto +++ b/bin/disinto @@ -1226,13 +1226,14 @@ disinto_up() { if [ -f "$enc_file" ] && command -v sops &>/dev/null && [ ! -f "$env_file" ]; then tmp_env="${env_file}" sops -d --output-type dotenv "$enc_file" > "$tmp_env" + trap '[ -n "${tmp_env:-}" ] && rm -f "$tmp_env"' EXIT echo "Decrypted secrets for compose" fi docker compose -f "$compose_file" up -d "$@" echo "Stack is up" - # Clean up temp .env + # Clean up temp .env (also handled by EXIT trap if compose fails) if [ -n "$tmp_env" ] && [ -f "$tmp_env" ]; then rm -f "$tmp_env" echo "Removed temporary .env" diff --git a/docker/agents/Dockerfile b/docker/agents/Dockerfile index 2dc8a22..18cc7f2 100644 --- a/docker/agents/Dockerfile +++ b/docker/agents/Dockerfile @@ -4,9 +4,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ bash curl git jq tmux cron python3 openssh-client ca-certificates \ && rm -rf /var/lib/apt/lists/* -# Claude CLI +# Claude CLI — install and verify RUN curl -fsSL https://cli.anthropic.com/install.sh | sh \ - && mv /root/.claude/local/claude /usr/local/bin/claude || true + && cp "$(find /root -name claude -type f 2>/dev/null | head -1)" /usr/local/bin/claude \ + && claude --version # Non-root user RUN useradd -m -u 1000 -s /bin/bash agent