V9.14.024.2026.06.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_clean_up.sh

@@ -33,6 +33,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 clean_up() {
   declare clean_exit_code="$1" fs_type="" _old_nullglob="" _old_dotglob="" _old_failglob=""
+  declare build_dir_valid="false" includes_chroot=""
 
   ### Enable nullglob/dotglob, disable failglob for safe globbing.
   _old_nullglob="$(shopt -p nullglob || true)"
@@ -52,10 +53,10 @@ clean_up() {
   rm -f -- "${VAR_NOTES}"
 
   ### Release advisory lock on FD 127.
-  flock -u 127
+  flock -u 127 2>/dev/null || true
 
   ### Close file descriptor 127.
-  exec 127>&-
+  exec 127>&- 2>/dev/null || true
 
   ### Remove the lockfile artifact.
   rm -f /run/lock/ciss_live_builder.lock
@@ -100,32 +101,46 @@ clean_up() {
   ### No tracing for security reasons ------------------------------------------------------------------------------------------
   [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
 
-  ### Removes secrets securely.
-  # shellcheck disable=SC2312
-  find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
-  find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
+  ### Stop xtrace before destructive cleanup and collect still-available exact secret values.
+  ### The final log rewrite runs later from the trap after no further debug/error log writes are expected.
+  finalize_debug_xtrace_logging || true
+  collect_debug_secret_values || true
 
-  ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
-  if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+  ### Removes secrets securely.
+  if [[ -n "${VAR_TMP_SECRET:-}" && -d "${VAR_TMP_SECRET}" && ! -L "${VAR_TMP_SECRET}" ]]; then
 
     # shellcheck disable=SC2312
-    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+    find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- || true
+    find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete || true
+
+  fi
+
+  if [[ -n "${VAR_HANDLER_BUILD_DIR:-}" && -d "${VAR_HANDLER_BUILD_DIR}" ]]; then
+    if require_builder_owned_build_dir "${VAR_HANDLER_BUILD_DIR}"; then
+      build_dir_valid="true"
+    fi
+  fi
+
+  ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
+  includes_chroot="${VAR_HANDLER_BUILD_DIR:-}/config/includes.chroot"
+  if [[ "${build_dir_valid}" == "true" && -d "${includes_chroot}" ]] \
+    && require_builder_owned_subpath "${VAR_HANDLER_BUILD_DIR}" "${includes_chroot}"; then
+
+    # shellcheck disable=SC2312
+    find "${includes_chroot}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- || true
 
     ### Remove empty directories (bottom-up).
-    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
+    find "${includes_chroot}" -depth -xdev -type d -empty -delete || true
 
   fi
 
   ### Delete all files and directories below ./chroot.
-  if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
+  if [[ "${build_dir_valid}" == "true" && -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
 
-    rm -rf "${VAR_HANDLER_BUILD_DIR}/chroot"
+    safe_remove_builder_subpath "${VAR_HANDLER_BUILD_DIR}" "${VAR_HANDLER_BUILD_DIR}/chroot" || true
 
   fi
 
-  ### Turn on tracing again ----------------------------------------------------------------------------------------------------
-  [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
-
   eval "${_old_nullglob}" 2>/dev/null || true
   eval "${_old_dotglob}"  2>/dev/null || true
   eval "${_old_failglob}" 2>/dev/null || true