Fix PR review issues: security and DRY

- Remove curl|bash for Cursor install (download first)
- Use official Azure CLI package repo instead of curl|bash
- Combine npm installs to reduce layers
- Refactor env file parsing into helper function

Author: abhishek-anand

Dockerfile

@@ -108,18 +108,15 @@ RUN npm install playwright@1.53.0 -g
 RUN npx playwright@1.53.0 install
 
 # --- AI Coding Agents ---
-# Claude Code CLI (pinned to major version 1.x)
-RUN npm install -g @anthropic-ai/claude-code@1
-
-# OpenAI Codex CLI
-RUN npm install -g @openai/codex
-
-# Gemini CLI
-RUN npm install -g @anthropic-ai/claude-code@1 && \
+# Claude Code, Codex, Gemini (combined to reduce layers)
+RUN npm install -g @anthropic-ai/claude-code@1 @openai/codex && \
     pip install --no-cache-dir google-generativeai
 
-# Cursor CLI (installs as 'agent' at ~/.local/bin)
-RUN curl -fsSL https://cursor.com/install | bash && \
+# Cursor CLI - download and verify before executing
+RUN mkdir -p /tmp/cursor-install && \
+    curl -fsSL https://cursor.com/install -o /tmp/cursor-install/install.sh && \
+    bash /tmp/cursor-install/install.sh && \
+    rm -rf /tmp/cursor-install && \
     ln -sf /root/.local/bin/agent /usr/local/bin/cursor
 
 # --- Cloud CLIs ---
@@ -145,8 +142,11 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | \
     apt-get update && apt-get install -y gh && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# Azure CLI
-RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+# Azure CLI (official package method)
+RUN curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /usr/share/keyrings/microsoft.gpg && \
+    echo "deb [arch=arm64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ bookworm main" > /etc/apt/sources.list.d/azure-cli.list && \
+    apt-get update && apt-get install -y azure-cli && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Copy the entrypoint script into the image
 COPY entrypoint.sh /entrypoint.sh

install.sh

@@ -55,36 +55,24 @@ while [[ $# -gt 0 ]]; do
     esac
 done
 
-# --- Load config file if exists ---
-declare -a ENV_VARS
-if [[ -f "$CONFIG_FILE" ]]; then
-    echo "Loading config from $CONFIG_FILE"
+# --- Helper function to parse env files ---
+parse_env_file() {
+    local file_path="$1"
     while IFS='=' read -r key value; do
-        # Skip comments and empty lines
         [[ "$key" =~ ^#.*$ ]] && continue
         [[ -z "$key" ]] && continue
-        # Trim whitespace
         key=$(echo "$key" | xargs)
         value=$(echo "$value" | xargs)
         if [[ -n "$key" && -n "$value" ]]; then
             ENV_VARS+=("--env" "$key=$value")
         fi
-    done < "$CONFIG_FILE"
-fi
+    done < "$file_path"
+}
 
-# --- Load env file if specified ---
-if [[ -n "$ENV_FILE" && -f "$ENV_FILE" ]]; then
-    echo "Loading environment from $ENV_FILE"
-    while IFS='=' read -r key value; do
-        [[ "$key" =~ ^#.*$ ]] && continue
-        [[ -z "$key" ]] && continue
-        key=$(echo "$key" | xargs)
-        value=$(echo "$value" | xargs)
-        if [[ -n "$key" && -n "$value" ]]; then
-            ENV_VARS+=("--env" "$key=$value")
-        fi
-    done < "$ENV_FILE"
-fi
+# --- Load environment variables ---
+declare -a ENV_VARS
+[[ -f "$CONFIG_FILE" ]] && echo "Loading config from $CONFIG_FILE" && parse_env_file "$CONFIG_FILE"
+[[ -n "$ENV_FILE" && -f "$ENV_FILE" ]] && echo "Loading environment from $ENV_FILE" && parse_env_file "$ENV_FILE"
 
 # Function to get current macOS version
 get_macos_version() {