fix(review): harden env parsing and align startup diagnostics

Author: GitHub Copilot CLI

.devcontainer/Dockerfile

@@ -51,7 +51,7 @@ RUN --mount=type=cache,target=/tmp/npm-cache \
     # 並列処理完了待ち
     wait && \
     # ECC ajv依存関係修正（既知の問題対応）
-    ECC_DIR=$(npm list -g ecc-universal 2>/dev/null | head -n1 | awk '{print $1}')/node_modules/ecc-universal && \
+    ECC_DIR="$(npm root -g 2>/dev/null)/ecc-universal" && \
     if [ -d "$ECC_DIR" ]; then \
         cd "$ECC_DIR" && npm install ajv 2>/dev/null || true; \
     fi && \

.devcontainer/entrypoint.sh

@@ -2,21 +2,8 @@
 
 echo "🔧 OpenCode ECC DevContainer エントリーポイント"
 
-is_valid_tailscale_key() {
-    local key
-    key=$(echo "$1" | tr -d '"' | tr -d '[:space:]')
-    [[ "$key" =~ ^tskey-auth- ]] || return 1
-    [[ "$key" == "your-tailscale-auth-key-here" ]] && return 1
-    [[ "$key" == "tskey-auth-xxxxxxxxxxxxxxxxx" ]] && return 1
-    [[ "$key" =~ ^tskey-auth-[xX]+$ ]] && return 1
-    return 0
-}
-
-# Tailscale daemon 起動
-if is_valid_tailscale_key "$TAILSCALE_AUTH_KEY"; then
-    echo "🌐 Tailscale daemon 起動中..."
-    sudo tailscaled --statedir=/var/lib/tailscale --socket=/run/tailscale/tailscaled.sock &
-fi
+# tailscaled startup is centrally handled by .devcontainer/startup.sh
+# to keep daemon flags and lifecycle behavior consistent.
 
 # メインプロセス実行
 exec "$@"

.devcontainer/lib/common.sh

@@ -53,10 +53,29 @@ resolve_env_template_file() {
 load_env_file() {
     local env_file="$1"
     [[ -f "$env_file" ]] || return 1
-    # shellcheck disable=SC1090
-    set -a
-    source "$env_file" 2>/dev/null || true
-    set +a
+
+    # Parse KEY=VALUE lines only to avoid executing arbitrary shell code.
+    local line key value
+    while IFS= read -r line || [[ -n "$line" ]]; do
+        line="${line%$'\r'}"
+        [[ -z "${line//[[:space:]]/}" ]] && continue
+        [[ "$line" =~ ^[[:space:]]*# ]] && continue
+
+        if [[ "$line" =~ ^[[:space:]]*([A-Za-z_][A-Za-z0-9_]*)[[:space:]]*=(.*)$ ]]; then
+            key="${BASH_REMATCH[1]}"
+            value="${BASH_REMATCH[2]}"
+            value=$(echo "$value" | sed -E 's/^[[:space:]]+|[[:space:]]+$//g')
+
+            if [[ "$value" =~ ^\"(.*)\"$ ]]; then
+                value="${BASH_REMATCH[1]}"
+            elif [[ "$value" =~ ^\'(.*)\'$ ]]; then
+                value="${BASH_REMATCH[1]}"
+            fi
+
+            export "$key=$value"
+        fi
+    done < "$env_file"
+
     return 0
 }
 

.devcontainer/setup.sh

@@ -85,9 +85,9 @@ chmod -R 755 ~/.opencode 2>/dev/null || true
 
 # ajv 依存関係エラー修正（既知の問題）
 echo "   🔧 ajv 依存関係修正中..."
-ECC_PATH=$(npm list -g ecc-universal 2>/dev/null | head -n1 | awk '{print $1}' || echo "")
-if [[ -n "$ECC_PATH" ]] && [[ -d "$ECC_PATH/node_modules/ecc-universal" ]]; then
-    cd "$ECC_PATH/node_modules/ecc-universal"
+ECC_DIR="$(npm root -g 2>/dev/null)/ecc-universal"
+if [[ -d "$ECC_DIR" ]]; then
+    cd "$ECC_DIR"
     echo "     ECCディレクトリ: $(pwd)"
     npm install ajv 2>/dev/null || echo "     ajv インストール試行"
     cd - > /dev/null

.devcontainer/validate-setup.sh

@@ -57,7 +57,7 @@ if [[ -f "/workspace/.env" ]]; then
     if [[ -n "$TAILSCALE_AUTH_KEY" && "$TAILSCALE_AUTH_KEY" != "your-tailscale-auth-key-here" && "$TAILSCALE_AUTH_KEY" != "tskey-auth-xxxxxxxxxxxxxxxxx" ]]; then
         run_test "TAILSCALE_AUTH_KEY 設定確認" "test -n '$TAILSCALE_AUTH_KEY'"
     else
-        echo -e "${YELLOW}🔍 [${TESTS_TOTAL}+1] TAILSCALE_AUTH_KEY 設定確認 (オプション)${NC}"
+        echo -e "${YELLOW}🔍 [$((TESTS_TOTAL+1))] TAILSCALE_AUTH_KEY 設定確認 (オプション)${NC}"
         echo -e "${YELLOW}   ⚠️  SKIP（ローカルモード許容）${NC}"
     fi
     run_test "ECC_PROFILE 設定確認" "test -n '$ECC_PROFILE'"

scripts/diagnose-devcontainer.sh

@@ -62,7 +62,6 @@ if [ -f ".env" ]; then
 
     if [ -n "$TAILSCALE_AUTH_KEY" ] && [ "$TAILSCALE_AUTH_KEY" != "your-auth-key-here" ] && [ "$TAILSCALE_AUTH_KEY" != "tskey-auth-xxxxxxxxxxxxxxxxx" ]; then
         echo "  ✅ TAILSCALE_AUTH_KEY 設定済み"
-        echo "     キー: ${TAILSCALE_AUTH_KEY:0:15}..."
     else
         echo "  ⚠️  TAILSCALE_AUTH_KEY 未設定またはテンプレート値"
         echo "     設定コマンド: ./scripts/setup-tailscale.sh"