From 95ae175e1b8d56d910ecaafdee39a83b67d436e0 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Sun, 19 Apr 2026 04:58:55 -0400
Subject: [PATCH] fix(swarm-mgmt): exclude .env from bundle, chmod +x decnet,
 mkdir log

---
 decnet/web/router/swarm_mgmt/api_enroll_bundle.py | 5 +++++
 decnet/web/templates/enroll_bootstrap.sh.j2       | 6 ++++++
 tests/api/swarm_mgmt/test_enroll_bundle.py        | 4 ++++
 3 files changed, 15 insertions(+)

diff --git a/decnet/web/router/swarm_mgmt/api_enroll_bundle.py b/decnet/web/router/swarm_mgmt/api_enroll_bundle.py
index 8b72b25..b8f5f0e 100644
--- a/decnet/web/router/swarm_mgmt/api_enroll_bundle.py
+++ b/decnet/web/router/swarm_mgmt/api_enroll_bundle.py
@@ -66,6 +66,11 @@ _EXCLUDES: tuple[str, ...] = (
     "decnet-state.json",
     "master.log", "master.json",
     "decnet.tar",
+    # Dev-host env/config leaks — these bake the master's absolute paths into
+    # the agent and point log handlers at directories that don't exist on the
+    # worker VM.
+    ".env", ".env.*", "**/.env", "**/.env.*",
+    "decnet.ini", "**/decnet.ini",
 )
 
 
diff --git a/decnet/web/templates/enroll_bootstrap.sh.j2 b/decnet/web/templates/enroll_bootstrap.sh.j2
index ec3bf59..afa8566 100644
--- a/decnet/web/templates/enroll_bootstrap.sh.j2
+++ b/decnet/web/templates/enroll_bootstrap.sh.j2
@@ -28,6 +28,9 @@ python3 -m venv .venv
 install -Dm0644 etc/decnet/decnet.ini /etc/decnet/decnet.ini
 [[ -f services.ini ]] && install -Dm0644 services.ini /etc/decnet/services.ini
 
+# Log directory the baked-in INI points at — must exist before `decnet` imports config.
+install -d -m0755 /var/log/decnet
+
 REAL_USER="${SUDO_USER:-root}"
 REAL_HOME="$(getent passwd "$REAL_USER" | cut -d: -f6)"
 for f in ca.crt worker.crt worker.key; do
@@ -35,6 +38,9 @@ for f in ca.crt worker.crt worker.key; do
     "home/.decnet/agent/$f" "$REAL_HOME/.decnet/agent/$f"
 done
 
+# Guarantee the pip-installed entrypoint is executable (some setuptools+editable
+# combos drop it with mode 0644) and expose it on PATH.
+chmod 0755 "$INSTALL_DIR/.venv/bin/decnet"
 ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet
 sudo -u "$REAL_USER" /usr/local/bin/decnet agent --daemon
 echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned."
diff --git a/tests/api/swarm_mgmt/test_enroll_bundle.py b/tests/api/swarm_mgmt/test_enroll_bundle.py
index 788a280..4f340bb 100644
--- a/tests/api/swarm_mgmt/test_enroll_bundle.py
+++ b/tests/api/swarm_mgmt/test_enroll_bundle.py
@@ -159,6 +159,10 @@ async def test_get_tgz_contents(client, auth_token, tmp_path):
         assert "__pycache__" not in bad
         assert not bad.endswith(".pyc")
         assert "node_modules" not in bad
+        # Dev-host env leaks would bake absolute master paths into the agent.
+        assert not bad.endswith(".env"), f"leaked env file: {bad}"
+        assert ".env.local" not in bad, f"leaked env file: {bad}"
+        assert ".env.example" not in bad, f"leaked env file: {bad}"
 
     # INI content is correct
     ini = tf.extractfile("etc/decnet/decnet.ini").read().decode()