refactor(compile): remove indent parameter from generate_awf_mounts

Move {{ awf_mounts }} to its own template line so replace_with_indent
handles indentation automatically. When no mounts exist, emit a bare
bash continuation marker (\) to preserve the surrounding \-chain.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

docs/template-markers.md

@@ -369,7 +369,7 @@ The output is formatted as a comma-separated string (e.g., `github.com,*.dev.azu
 
 Replaced with `--mount` flags for the **agent job** AWF invocation only (not the detection job), collected from `CompilerExtension::required_awf_mounts()`. Each extension can declare volume mounts needed inside the AWF chroot as [`AwfMount`][AwfMount] values (e.g., the Lean runtime mounts `$HOME/.elan` so the elan toolchain is accessible).
 
-When no extensions declare mounts, this is replaced with an empty string (no `--mount` flags). When mounts are present, each is formatted as `--mount "spec" \` on its own continuation line (followed by a newline and appropriate indentation for the next AWF flag).
+When no extensions declare mounts, this is replaced with `\` (a bare bash continuation marker) so the surrounding `\`-continuation chain is preserved. When mounts are present, each is formatted as `--mount "spec" \` on its own line; indentation is handled by `replace_with_indent` at the call site.
 
 AWF replaces `$HOME` with an empty directory overlay for security; only explicitly mounted subdirectories are accessible inside the chroot. Shell variables like `$HOME` are expanded at runtime by bash.
 

src/compile/common.rs

@@ -1678,32 +1678,26 @@ pub fn generate_allowed_domains(
 /// Each mount spec is rendered using its [`Display`][std::fmt::Display] impl
 /// (Docker bind-mount format: `host_path:container_path[:mode]`).
 ///
-/// Returns an empty string if no extensions require mounts.
-/// When mounts are present, each flag occupies its own continuation line:
-/// `--mount "spec" \` followed by a newline and `indent`, ready to precede
-/// the next AWF flag inline in the template.
-///
-/// `indent` should match the whitespace that precedes sibling AWF flags in
-/// the template (e.g. `"            "` for standalone, `"                      "`
-/// for 1ES).
-pub fn generate_awf_mounts(
-    extensions: &[super::extensions::Extension],
-    indent: &str,
-) -> String {
+/// When no extensions require mounts, returns `\` (a bare bash continuation
+/// marker) so the surrounding `\`-continuation chain in the template is
+/// preserved.  When mounts are present, each flag occupies its own line
+/// (`--mount "spec" \`); indentation is handled by [`replace_with_indent`]
+/// at the call site.
+pub fn generate_awf_mounts(extensions: &[super::extensions::Extension]) -> String {
     let mounts: Vec<super::extensions::AwfMount> = extensions
         .iter()
         .flat_map(|ext| ext.required_awf_mounts())
         .collect();
 
     if mounts.is_empty() {
-        return String::new();
+        return "\\".to_string();
     }
 
     mounts
         .iter()
-        .map(|m| format!("--mount \"{}\" \\\n{}", m, indent))
+        .map(|m| format!("--mount \"{}\" \\", m))
         .collect::<Vec<_>>()
-        .join("")
+        .join("\n")
 }
 
 // ==================== Shared compile flow ====================
@@ -3761,8 +3755,8 @@ mod tests {
     fn test_generate_awf_mounts_no_extensions() {
         let fm = minimal_front_matter();
         let exts = crate::compile::extensions::collect_extensions(&fm);
-        let result = generate_awf_mounts(&exts, "            ");
-        assert!(result.is_empty(), "no mounts without lean");
+        let result = generate_awf_mounts(&exts);
+        assert_eq!(result, "\\", "no mounts should produce bare continuation");
     }
 
     #[test]
@@ -3771,12 +3765,14 @@ mod tests {
             "---\nname: test\ndescription: test\nruntimes:\n  lean: true\n---\n",
         ).unwrap();
         let exts = crate::compile::extensions::collect_extensions(&fm);
-        let result = generate_awf_mounts(&exts, "            ");
+        let result = generate_awf_mounts(&exts);
         assert!(result.contains("--mount"), "should contain --mount flag");
         assert!(result.contains(".elan"), "should reference .elan directory");
         assert!(result.contains(":ro"), "should be read-only");
-        // Each mount ends with ` \` continuation and newline+indent
-        assert!(result.contains("\\\n            "), "mount should be its own continuation line");
+        // Each mount line ends with ` \` continuation
+        assert!(result.ends_with(" \\"), "last mount should end with continuation");
+        // No embedded indent — replace_with_indent handles indentation
+        assert!(!result.contains("            "), "should not contain hard-coded indent");
     }
 
     // ═══════════════════════════════════════════════════════════════════════

src/compile/onees.rs

@@ -50,7 +50,7 @@ impl Compiler for OneESCompiler {
 
         // Generate values shared with standalone that are passed as extra replacements
         let allowed_domains = generate_allowed_domains(front_matter, &extensions)?;
-        let awf_mounts = generate_awf_mounts(&extensions, "                      ");
+        let awf_mounts = generate_awf_mounts(&extensions);
         let enabled_tools_args = generate_enabled_tools_args(front_matter);
 
         let mcpg_config = generate_mcpg_config(front_matter, &ctx, &extensions)?;

src/compile/standalone.rs

@@ -51,7 +51,7 @@ impl Compiler for StandaloneCompiler {
 
         // Standalone-specific values
         let allowed_domains = generate_allowed_domains(front_matter, &extensions)?;
-        let awf_mounts = generate_awf_mounts(&extensions, "            ");
+        let awf_mounts = generate_awf_mounts(&extensions);
         let enabled_tools_args = generate_enabled_tools_args(front_matter);
 
         let config_obj = generate_mcpg_config(front_matter, &ctx, &extensions)?;

src/data/1es-base.yml

@@ -339,7 +339,8 @@ extends:
                       --skip-pull \
                       --env-all \
                       --enable-host-access \
-                      {{ awf_mounts }}--container-workdir "{{ working_directory }}" \
+                      {{ awf_mounts }}
+                      --container-workdir "{{ working_directory }}" \
                       --log-level info \
                       --proxy-logs-dir "$(Agent.TempDirectory)/staging/logs/firewall" \
                       -- '{{ engine_run }}' \

src/data/base.yml

@@ -310,7 +310,8 @@ jobs:
             --skip-pull \
             --env-all \
             --enable-host-access \
-            {{ awf_mounts }}--container-workdir "{{ working_directory }}" \
+            {{ awf_mounts }}
+            --container-workdir "{{ working_directory }}" \
             --log-level info \
             --proxy-logs-dir "$(Agent.TempDirectory)/staging/logs/firewall" \
             -- '{{ engine_run }}' \