fix(container): address copilot review feedback and gofumpt 0.10 reformat

- Sort known profiles in ProfileFromName error message for stable output.
- Validate AgentProfile.EnvFileRelPath before interpolating into the
  shell snippet to block command injection via dynamic profiles.
- Gate the exit-137 swallow in DockerManager.WireMCPGateway to the
  openclaw profile so a real OOM under hermes is not masked.
- gofumpt -w across files unchanged on main; CI pinned to gofumpt@latest
  pulled in v0.10.0 with stricter rules.

Author: nnemirovsky

cmd/sluice/mcp_test.go

@@ -648,7 +648,8 @@ func TestHandleMCPGatewayNoUpstreams(t *testing.T) {
 		return
 	}
 	cmd := exec.Command(os.Args[0], "-test.run=TestHandleMCPGatewayNoUpstreams")
-	cmd.Env = append(os.Environ(),
+	cmd.Env = append(
+		os.Environ(),
 		"TEST_MCP_SUBPROCESS=no_upstreams",
 		"TEST_DB_PATH="+dbPath,
 		"TELEGRAM_BOT_TOKEN=",
@@ -686,7 +687,8 @@ func TestHandleMCPGatewayInvalidChatID(t *testing.T) {
 		return
 	}
 	cmd := exec.Command(os.Args[0], "-test.run=TestHandleMCPGatewayInvalidChatID")
-	cmd.Env = append(os.Environ(),
+	cmd.Env = append(
+		os.Environ(),
 		"TEST_MCP_SUBPROCESS=invalid_chat_id",
 		"TEST_DB_PATH="+dbPath,
 	)

cmd/sluice/policy.go

@@ -261,7 +261,8 @@ func handlePolicyImport(args []string) error {
 		return fmt.Errorf("import: %w", err)
 	}
 
-	fmt.Printf("imported: %d rules (%d skipped), %d bindings (%d skipped), %d upstreams (%d skipped), %d config\n",
+	fmt.Printf(
+		"imported: %d rules (%d skipped), %d bindings (%d skipped), %d upstreams (%d skipped), %d config\n",
 		result.RulesInserted, result.RulesSkipped,
 		result.BindingsInserted, result.BindingsSkipped,
 		result.UpstreamsInserted, result.UpstreamsSkipped,

e2e/apple_test.go

@@ -287,7 +287,8 @@ func (e *appleEnv) startTun2proxy() {
 		e.t.Skipf("tun2proxy not in PATH: %v", err)
 	}
 
-	cmd := exec.Command(tun2proxyBin,
+	cmd := exec.Command(
+		tun2proxyBin,
 		"--proxy", "socks5://"+e.sluice.ProxyAddr,
 		"--tun", e.tunIface,
 	)
@@ -655,7 +656,8 @@ func TestAppleContainerSluiceStartsWithRuntimeFlag(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
-	cmd := exec.CommandContext(ctx, binary,
+	cmd := exec.CommandContext(
+		ctx, binary,
 		"--runtime", "apple",
 		"--listen", fmt.Sprintf("127.0.0.1:%d", proxyPort),
 		"--db", dbPath,

e2e/credential_test.go

@@ -278,7 +278,8 @@ func TestCredential_HeaderInjection(t *testing.T) {
 	_, port := mustSplitAddr(t, echo.URL)
 
 	// Add credential with binding for the echo server.
-	runCredAdd(t, setup.Proc, "test_api_key", "real-secret-value-123",
+	runCredAdd(
+		t, setup.Proc, "test_api_key", "real-secret-value-123",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "X-Api-Key",
@@ -308,7 +309,8 @@ func TestCredential_PhantomInBody(t *testing.T) {
 	echo := startTLSEchoServerWithCA(t, setup.CA)
 	_, port := mustSplitAddr(t, echo.URL)
 
-	runCredAdd(t, setup.Proc, "body_cred", "body-secret-42",
+	runCredAdd(
+		t, setup.Proc, "body_cred", "body-secret-42",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "Authorization",
@@ -352,7 +354,8 @@ func TestCredential_UnboundPhantomStripped(t *testing.T) {
 	_, unboundPort := mustSplitAddr(t, unboundEcho.URL)
 
 	// Add credential bound to the first echo server only.
-	runCredAdd(t, setup.Proc, "bound_cred", "bound-secret",
+	runCredAdd(
+		t, setup.Proc, "bound_cred", "bound-secret",
 		"--destination", "127.0.0.1",
 		"--ports", boundPort,
 		"--header", "X-Cred",
@@ -480,7 +483,8 @@ func TestCredential_Rotation(t *testing.T) {
 	_, port := mustSplitAddr(t, echo.URL)
 
 	// Add initial credential.
-	runCredAdd(t, setup.Proc, "rotate_key", "original-value",
+	runCredAdd(
+		t, setup.Proc, "rotate_key", "original-value",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "X-Api-Key",
@@ -524,14 +528,16 @@ func TestCredential_MultipleDestinations(t *testing.T) {
 	_, portB := mustSplitAddr(t, echoB.URL)
 
 	// Add credential A bound to echo server A.
-	runCredAdd(t, setup.Proc, "cred_a", "secret-a",
+	runCredAdd(
+		t, setup.Proc, "cred_a", "secret-a",
 		"--destination", "127.0.0.1",
 		"--ports", portA,
 		"--header", "X-Key-A",
 	)
 
 	// Add credential B bound to echo server B.
-	runCredAdd(t, setup.Proc, "cred_b", "secret-b",
+	runCredAdd(
+		t, setup.Proc, "cred_b", "secret-b",
 		"--destination", "127.0.0.1",
 		"--ports", portB,
 		"--header", "X-Key-B",

e2e/grpc_test.go

@@ -174,7 +174,8 @@ func TestGRPC_CredentialInjectionInMetadata(t *testing.T) {
 	_, port := splitHostPort(t, h2Addr)
 
 	// Add credential with binding for the H2 server.
-	runCredAdd(t, setup.Proc, "grpc_token", "grpc-real-secret-456",
+	runCredAdd(
+		t, setup.Proc, "grpc_token", "grpc-real-secret-456",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "Authorization",

e2e/helpers_test.go

@@ -589,7 +589,8 @@ func sluiceWithWebhook(t *testing.T, policyTOML, webhookURL string) *SluiceProce
 	}
 
 	// Add the HTTP webhook channel to the pre-seeded DB.
-	channelCmd := exec.Command(binary, "channel", "add",
+	channelCmd := exec.Command(
+		binary, "channel", "add",
 		"--type", "http",
 		"--url", webhookURL,
 		"--db", dbPath,

e2e/websocket_test.go

@@ -209,7 +209,8 @@ func TestWebSocket_CredentialInjectionInUpgradeHeaders(t *testing.T) {
 	_, port := splitHostPort(t, wsAddr)
 
 	// Add credential bound to the WS echo server.
-	runCredAdd(t, setup.Proc, "ws_api_key", "ws-real-secret-789",
+	runCredAdd(
+		t, setup.Proc, "ws_api_key", "ws-real-secret-789",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "X-Ws-Key",

internal/channel/channel_test.go

@@ -397,7 +397,8 @@ func TestBrokerPendingLimitZeroMeansUnlimited(t *testing.T) {
 		}()
 	}
 
-	broker = NewBroker([]Channel{ch1},
+	broker = NewBroker(
+		[]Channel{ch1},
 		WithMaxPending(0),
 		WithDestinationRateLimit(0, 0),
 	)
@@ -429,7 +430,8 @@ func TestBrokerDestinationRateLimiting(t *testing.T) {
 		}()
 	}
 
-	broker = NewBroker([]Channel{ch1},
+	broker = NewBroker(
+		[]Channel{ch1},
 		WithMaxPending(0),
 		WithDestinationRateLimit(3, time.Minute),
 	)
@@ -477,7 +479,8 @@ func TestBrokerDestinationRateLimitDisabled(t *testing.T) {
 		}()
 	}
 
-	broker = NewBroker([]Channel{ch1},
+	broker = NewBroker(
+		[]Channel{ch1},
 		WithMaxPending(0),
 		WithDestinationRateLimit(0, 0),
 	)

internal/container/agent_profile.go

@@ -2,6 +2,8 @@ package container
 
 import (
 	"fmt"
+	"path"
+	"sort"
 	"strings"
 )
 
@@ -110,9 +112,48 @@ func ProfileFromName(name string) (*AgentProfile, error) {
 	for k := range builtinProfiles {
 		known = append(known, k)
 	}
+	sort.Strings(known)
 	return nil, fmt.Errorf("unknown agent profile %q (known: %s)", name, strings.Join(known, ", "))
 }
 
+// validateEnvFileRelPath ensures the env file path declared by an
+// AgentProfile is safe to interpolate into a shell snippet inside
+// double quotes. The path must be relative (no leading "/"), must
+// not contain ".." segments, and must not contain shell metacharacters
+// or whitespace that would let a maliciously constructed profile run
+// arbitrary commands when BuildEnvInjectionScriptForProfile is called.
+//
+// All built-in profiles in this package are constants and pass this
+// check trivially. The validation exists to keep the surface safe if
+// a future caller in this internal package constructs an AgentProfile
+// dynamically.
+func validateEnvFileRelPath(p string) error {
+	if p == "" {
+		return fmt.Errorf("EnvFileRelPath is empty")
+	}
+	if strings.HasPrefix(p, "/") {
+		return fmt.Errorf("EnvFileRelPath %q must be relative (not absolute)", p)
+	}
+	cleaned := path.Clean(p)
+	if cleaned != p {
+		return fmt.Errorf("EnvFileRelPath %q is not in canonical form (got %q)", p, cleaned)
+	}
+	if strings.HasPrefix(cleaned, "../") || cleaned == ".." || strings.Contains(cleaned, "/../") {
+		return fmt.Errorf("EnvFileRelPath %q must not traverse parent directories", p)
+	}
+	for _, r := range p {
+		switch {
+		case r >= 'A' && r <= 'Z':
+		case r >= 'a' && r <= 'z':
+		case r >= '0' && r <= '9':
+		case r == '/' || r == '.' || r == '_' || r == '-':
+		default:
+			return fmt.Errorf("EnvFileRelPath %q contains disallowed character %q", p, r)
+		}
+	}
+	return nil
+}
+
 // resolveProfile returns p when non-nil, or OpenclawProfile as the
 // default. This lets existing call sites that do not pass a profile
 // keep their previous behavior.

internal/container/agent_profile_test.go

@@ -105,6 +105,58 @@ func TestHermesProfile_WireMCPUsesPython(t *testing.T) {
 	}
 }
 
+func TestProfileFromName_ErrorListsKnownSorted(t *testing.T) {
+	_, err := ProfileFromName("does-not-exist")
+	if err == nil {
+		t.Fatal("expected error for unknown profile")
+	}
+	msg := err.Error()
+	// "hermes" must appear before "openclaw" alphabetically when the list is sorted.
+	hi := strings.Index(msg, "hermes")
+	oi := strings.Index(msg, "openclaw")
+	if hi < 0 || oi < 0 || hi > oi {
+		t.Errorf("error message %q should list known profiles in sorted order (hermes before openclaw)", msg)
+	}
+}
+
+func TestValidateEnvFileRelPath(t *testing.T) {
+	good := []string{
+		".openclaw/.env",
+		".hermes/.env",
+		"home/agent/.env",
+		"a-b_c.env",
+	}
+	for _, p := range good {
+		if err := validateEnvFileRelPath(p); err != nil {
+			t.Errorf("expected %q to be accepted, got: %v", p, err)
+		}
+	}
+	bad := []string{
+		"",
+		"/abs/path",
+		"../escape",
+		"a/../b",
+		`a"; rm -rf /`,
+		"a$(whoami)",
+		"a b",
+		"a;b",
+		"a\nb",
+	}
+	for _, p := range bad {
+		if err := validateEnvFileRelPath(p); err == nil {
+			t.Errorf("expected %q to be rejected", p)
+		}
+	}
+}
+
+func TestBuildEnvInjectionScriptForProfile_RejectsUnsafePath(t *testing.T) {
+	bad := &AgentProfile{Name: "evil", EnvFileRelPath: `evil"; touch /tmp/pwned`}
+	_, err := BuildEnvInjectionScriptForProfile(bad, map[string]string{"K": "v"}, false, false)
+	if err == nil {
+		t.Fatal("expected error for unsafe EnvFileRelPath")
+	}
+}
+
 func TestResolveProfile_NilDefaultsToOpenclaw(t *testing.T) {
 	if resolveProfile(nil) != OpenclawProfile {
 		t.Error("nil profile should default to OpenclawProfile")