From 6be0eee20b9d3ba7cdfeba187507b06935d70b30 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Sun, 29 Mar 2026 11:00:58 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20dispatcher=20=E2=80=94=20fix=20clone=20U?=
 =?UTF-8?q?RL=20and=20secret=20injection=20-=20Use=20FORGE=5FURL/FORGE=5FO?=
 =?UTF-8?q?PS=5FREPO=20for=20clonable=20URL=20-=20Pass=20-e=20SECRET=5FNAM?=
 =?UTF-8?q?E=20without=20value=20(Docker=20inherits=20from=20env)=20-=20Si?=
 =?UTF-8?q?mplify=20logging=20to=20hide=20all=20-e=20flags=20entirely?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docker/edge/dispatcher.sh | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/docker/edge/dispatcher.sh b/docker/edge/dispatcher.sh
index 73f1590..02718b6 100755
--- a/docker/edge/dispatcher.sh
+++ b/docker/edge/dispatcher.sh
@@ -48,8 +48,8 @@ log() {
 # Clone or pull the ops repo
 ensure_ops_repo() {
   if [ ! -d "${OPS_REPO_ROOT}/.git" ]; then
-    log "Cloning ops repo from ${FORGE_OPS_REPO}..."
-    git clone "${FORGE_OPS_REPO}" "${OPS_REPO_ROOT}"
+    log "Cloning ops repo from ${FORGE_URL}/${FORGE_OPS_REPO}..."
+    git clone "${FORGE_URL}/${FORGE_OPS_REPO}" "${OPS_REPO_ROOT}"
   else
     log "Pulling latest ops repo changes..."
     (cd "${OPS_REPO_ROOT}" && git pull --rebase)
@@ -93,14 +93,28 @@ launch_runner() {
 
   # Add environment variables BEFORE service name
   for secret in "${secrets[@]+"${secrets[@]}"}"; do
-    cmd+=(-e "${secret}=***")  # Redact value in the command array
+    cmd+=(-e "${secret}")  # Pass actual value to container (from env)
   done
 
   # Add formula and id as arguments (after service name)
   cmd+=("$formula" "$id")
 
-  # Log command skeleton (secrets are redacted)
-  log "Running: ${cmd[*]}"
+  # Log command skeleton (hide all -e flags for security)
+  local -a log_cmd=()
+  local skip_next=0
+  for arg in "${cmd[@]}"; do
+    if [[ $skip_next -eq 1 ]]; then
+      skip_next=0
+      continue
+    fi
+    if [[ "$arg" == "-e" ]]; then
+      log_cmd+=("$arg" "<redacted>")
+      skip_next=1
+    else
+      log_cmd+=("$arg")
+    fi
+  done
+  log "Running: ${log_cmd[*]}"
 
   # Execute with array expansion (safe from shell injection)
   "${cmd[@]}"