Fix apply-profile.sh: remove dead locals, fix env var ordering, use safe heredocs

SecAI-Hub · claude · SecAI-Hub · commit cc759ceef574 · 2026-03-28T15:33:04.000-07:00
- Remove unused local variables (status, profile, previous, detail, tmpfile)
  that shellcheck flagged as SC2034 — the function reads from env vars
- Fix _OVERRIDE_FILE set after the python3 command that reads it
- Use single-quoted heredocs with env vars (not ${shell_var} interpolation)
  for both override and state file readers, consistent with C6 fix pattern

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/files/system/usr/libexec/secure-ai/apply-profile.sh b/files/system/usr/libexec/secure-ai/apply-profile.sh
@@ -40,8 +40,7 @@ VALID_PROFILES="offline_private research full_lab"
 log() { echo "[apply-profile] $(date -u +%Y-%m-%dT%H:%M:%SZ) $*"; }
 
 write_result() {
-    local status="$1" profile="$2" previous="$3" detail="${4:-}"
-    local tmpfile="${RESULT_FILE}.tmp"
+    # Reads from env vars: _RES_STATUS, _RES_PROFILE, _RES_PREVIOUS, _RES_DETAIL, _RES_TMPFILE, _RES_FILE
     python3 << 'PYEOF'
 import json, os, sys
 result = {
@@ -94,16 +93,15 @@ read_current_profile() {
     # Operator override takes precedence (hard lock)
     if [ -f "$OPERATOR_OVERRIDE" ]; then
         local override
-        override=$(python3 -c "
-import yaml, os, sys
+        override=$(_OVERRIDE_FILE="$OPERATOR_OVERRIDE" python3 -c '
+import yaml, os
 try:
-    with open(os.environ['_OVERRIDE_FILE']) as f:
+    with open(os.environ["_OVERRIDE_FILE"]) as f:
         data = yaml.safe_load(f)
-    print(data.get('profile', ''))
+    print(data.get("profile", ""))
 except Exception:
-    print('')
-" 2>/dev/null) || true
-        _OVERRIDE_FILE="$OPERATOR_OVERRIDE" || true
+    print("")
+' 2>/dev/null) || true
         if [ -n "$override" ] && validate_profile "$override"; then
             echo "$override"
             return 0
@@ -113,15 +111,15 @@ except Exception:
     # Read from runtime state
     if [ -f "$PROFILE_STATE" ]; then
         local current
-        current=$(python3 -c "
-import json, sys
+        current=$(_PS_FILE="$PROFILE_STATE" python3 -c '
+import json, os
 try:
-    with open('${PROFILE_STATE}') as f:
+    with open(os.environ["_PS_FILE"]) as f:
         data = json.load(f)
-    print(data.get('active', ''))
+    print(data.get("active", ""))
 except Exception:
-    print('')
-" 2>/dev/null) || true
+    print("")
+' 2>/dev/null) || true
         if [ -n "$current" ] && validate_profile "$current"; then
             echo "$current"
             return 0
