review(bklibcvenv): address Copilot's 5 inline comments on #348

All 5 points were legit:

1. **shift on empty args** (libexec/bklibcvenv:39) — with set -eo
   pipefail, `CMD=$1; shift` exited before the usage-error branch
   could fire when called with zero args. Now: check `$#` first.

2. **set -x unconditional** (line 73) — floods CI output. Gated
   behind BKLIBCVENV_DEBUG env var.

3. **chmod 775** (line 94) — group-writable on packaged artefacts
   is a bad-practice flag for security/packaging audits. Changed
   to 755.

4. **POSIX `--` in command -v / cd** (template line 12, 15) — not
   specified by POSIX for these built-ins; some old /bin/sh
   implementations reject. Dropped `--`; in our context $0 is
   never user-controlled so the defense was moot.

5. **sed-replacement metacharacter unsafety** (line 93) — values
   containing `&`, `\`, or the `|` delimiter would corrupt sed
   output. Defense in depth: added a `sed_escape()` helper and
   applied to all four interpolated values before substitution.

Values in question (LDSO, LIBDIR_NAME, LIBC_NAME, dir) are all
auto-detected or recipe-passed and won't realistically contain
sed metachars, but Copilot's right that this should not be a
latent footgun.

Author: tannevaled

libexec/bklibcvenv

@@ -35,7 +35,28 @@
 
 set -eo pipefail
 
-CMD=$1; shift
+if [ $# -lt 1 ]; then
+  echo "bklibcvenv: missing subcommand" >&2
+  echo "usage: $0 seal <prefix> <libdir-name>" >&2
+  exit 64
+fi
+
+CMD=$1
+shift
+
+# Optional debug tracing — opt-in via env to avoid log noise.
+[ -n "${BKLIBCVENV_DEBUG:-}" ] && set -x
+
+# sed-replacement-safe escape. Backslashes, ampersands, and the
+# `|` delimiter need to be quoted in the replacement-half of an
+# `s|…|…|g`. Without escaping a value like `foo&bar` would be
+# replaced by sed's match-back-reference; `foo\1bar` similarly
+# breaks. In practice our values are tightly controlled (LDSO,
+# LIBDIR_NAME etc. come from arch/version, never user input), so
+# this is defense in depth.
+sed_escape() {
+  printf '%s\n' "$1" | sed -e 's/[\\&|]/\\&/g'
+}
 
 case "$CMD" in
   seal)
@@ -63,14 +84,17 @@ case "$CMD" in
     LIBC_NAME=${LIBDIR_NAME%%-*}
 
     # Locate the wrapper template (share/brewkit/libcvenv-wrapper.sh).
-    SELF_DIR=$(CDPATH= cd -- "$(dirname "$0")" && pwd)
+    SELF_DIR=$(CDPATH= cd "$(dirname "$0")" && pwd)
     TEMPLATE="$SELF_DIR/../share/brewkit/libcvenv-wrapper.sh"
     if [ ! -f "$TEMPLATE" ]; then
       echo "bklibcvenv: wrapper template not found at $TEMPLATE" >&2
       exit 2
     fi
 
-    set -x
+    # Escape sed-replacement values once up-front.
+    LDSO_ESC=$(sed_escape "$LDSO")
+    LIBDIR_ESC=$(sed_escape "$LIBDIR_NAME")
+    LIBC_ESC=$(sed_escape "$LIBC_NAME")
 
     for dir in bin sbin; do
       [ -d "$PREFIX/$dir" ] || continue
@@ -85,13 +109,14 @@ case "$CMD" in
         name=$(basename "$f")
         mv "$f" "$PREFIX/libexec/$LIBC_NAME-$dir/"
 
+        DIR_ESC=$(sed_escape "$dir")
         sed \
-          -e "s|@LDSO@|$LDSO|g" \
-          -e "s|@LIBDIR@|$LIBDIR_NAME|g" \
-          -e "s|@LIBC_NAME@|$LIBC_NAME|g" \
-          -e "s|@DIR@|$dir|g" \
+          -e "s|@LDSO@|$LDSO_ESC|g" \
+          -e "s|@LIBDIR@|$LIBDIR_ESC|g" \
+          -e "s|@LIBC_NAME@|$LIBC_ESC|g" \
+          -e "s|@DIR@|$DIR_ESC|g" \
           "$TEMPLATE" > "$f"
-        chmod 775 "$f"
+        chmod 755 "$f"
 
         echo "wrapped $f"
       done

share/brewkit/libcvenv-wrapper.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
-# Template for bklibcvenv-generated wrappers.
+# Template for bklibcvenv-generated wrappers. Pure POSIX sh — no
+# `--` end-of-options markers (POSIX doesn't specify them for `cd`
+# or `command -v`; some old /bin/sh implementations reject them).
 #
 # Replaced by `bklibcvenv seal`:
 #   @LDSO@      e.g. ld-linux-x86-64.so.2
@@ -9,10 +11,10 @@
 
 case "$0" in
   */*) bindir=${0%/*} ;;
-  *) bindir=$(command -v -- "$0"); bindir=${bindir%/*} ;;
+  *) bindir=$(command -v "$0"); bindir=${bindir%/*} ;;
 esac
 
-prefix=$(CDPATH= cd -- "$bindir/.." && pwd)
+prefix=$(CDPATH= cd "$bindir/.." && pwd)
 libdir="$prefix/lib/@LIBDIR@"
 
 exec "$libdir/@LDSO@" --library-path "$libdir" "$prefix/libexec/@LIBC_NAME@-@DIR@/$(basename "$0")" "$@"