From 5d59c2d61fb93736fc2f8205cd7436425d71f929 Mon Sep 17 00:00:00 2001
From: Richard Kiene <richard@liquescent.dev>
Date: Fri, 22 Aug 2025 18:24:45 -0700
Subject: [PATCH 1/2] Fix 1Password domain resolution in firewall script

The strict IFS=$'\n\t' setting was preventing proper iteration over
space-separated strings for 1Password domains. This caused the firewall
script to try resolving all domains as a single concatenated string
instead of individual domains.

Changed to use bash arrays for subdomain and TLD lists, which work
correctly regardless of IFS settings.

Fixes:
- my.1password.com and other 1Password domains not being resolved
- op vault list hanging due to blocked network connections
- All 1Password API endpoints now properly allowlisted
---
 docker-image/scripts/init-firewall.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker-image/scripts/init-firewall.sh b/docker-image/scripts/init-firewall.sh
index 2ec015a..2fcb58b 100644
--- a/docker-image/scripts/init-firewall.sh
+++ b/docker-image/scripts/init-firewall.sh
@@ -80,11 +80,11 @@ done
 # Based on: https://support.1password.com/ports-domains/
 echo "Configuring 1Password domains..."
 # Common 1Password subdomains across all regions (.com, .eu, .ca)
-onepassword_subdomains="1password my.1password app.1password api.1password events.1password b5n.1password"
-onepassword_tlds="com eu ca"
+onepassword_subdomains=("1password" "my.1password" "app.1password" "api.1password" "events.1password" "b5n.1password")
+onepassword_tlds=("com" "eu" "ca")
 
-for subdomain in $onepassword_subdomains; do
-    for tld in $onepassword_tlds; do
+for subdomain in "${onepassword_subdomains[@]}"; do
+    for tld in "${onepassword_tlds[@]}"; do
         domain="${subdomain}.${tld}"
         echo "Resolving $domain..."
         # Use timeout and don't fail if a regional domain doesn't exist

From 4f7126fe51002fe483e2b5621cfd797e14cd009f Mon Sep 17 00:00:00 2001
From: Richard Kiene <richard@liquescent.dev>
Date: Fri, 22 Aug 2025 18:52:16 -0700
Subject: [PATCH 2/2] Remove unreliable 1Password postStartCommand verification

The postStartCommand check for 1Password was giving false warnings even when
1Password was properly authenticated. This was due to environment variable
handling differences in the shell context where postStartCommand runs.

Since the setup-1password.sh script already provides clear feedback during
postCreateCommand, and users can easily verify with 'op whoami' if needed,
the postStartCommand check adds more confusion than value.

Removed from both the main devcontainer.json and the template version.
---
 .devcontainer/devcontainer.json                             | 3 ---
 src/liquescent-devcontainer/.devcontainer/devcontainer.json | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index d7844b9..0d3f98a 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -65,8 +65,5 @@
     "firewall": "sudo /usr/local/bin/init-firewall.sh",
     "git": "/usr/local/bin/setup-git.sh",
     "1password": "/usr/local/bin/setup-1password.sh"
-  },
-  "postStartCommand": {
-    "verify-1password": "op vault list 2>/dev/null || echo '⚠️  1Password CLI not authenticated. Run setup-1password.sh for options.'"
   }
 }
\ No newline at end of file
diff --git a/src/liquescent-devcontainer/.devcontainer/devcontainer.json b/src/liquescent-devcontainer/.devcontainer/devcontainer.json
index d7844b9..0d3f98a 100644
--- a/src/liquescent-devcontainer/.devcontainer/devcontainer.json
+++ b/src/liquescent-devcontainer/.devcontainer/devcontainer.json
@@ -65,8 +65,5 @@
     "firewall": "sudo /usr/local/bin/init-firewall.sh",
     "git": "/usr/local/bin/setup-git.sh",
     "1password": "/usr/local/bin/setup-1password.sh"
-  },
-  "postStartCommand": {
-    "verify-1password": "op vault list 2>/dev/null || echo '⚠️  1Password CLI not authenticated. Run setup-1password.sh for options.'"
   }
 }
\ No newline at end of file