From e760de064a68af63bb754d8bcf30a1d442c6aaad Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Fri, 13 Feb 2026 05:03:38 -0800
Subject: [PATCH] fix: use shared setup_continue_config to prevent JSON
 injection in local/continue.sh (#921)

local/continue.sh used a double-quoted heredoc to write the API key
directly into ~/.continue/config.json without escaping. If the key
contained double quotes, it could produce invalid JSON or inject
additional config fields. Replace inline heredoc with the shared
setup_continue_config helper which uses json_escape.

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 local/continue.sh | 22 ++++------------------
 1 file changed, 4 insertions(+), 18 deletions(-)

diff --git a/local/continue.sh b/local/continue.sh
index 11aea8a4..0d230d67 100644
--- a/local/continue.sh
+++ b/local/continue.sh
@@ -52,24 +52,10 @@ log_step "Appending environment variables to ~/.zshrc..."
 inject_env_vars_local upload_file run_server \
     "OPENROUTER_API_KEY=${OPENROUTER_API_KEY}"
 
-# 6. Configure Continue
-log_step "Configuring Continue..."
-CONTINUE_CONFIG_DIR="${HOME}/.continue"
-mkdir -p "${CONTINUE_CONFIG_DIR}"
-
-cat > "${CONTINUE_CONFIG_DIR}/config.json" <<EOF
-{
-  "models": [
-    {
-      "title": "OpenRouter",
-      "provider": "openrouter",
-      "model": "openrouter/auto",
-      "apiBase": "https://openrouter.ai/api/v1",
-      "apiKey": "${OPENROUTER_API_KEY}"
-    }
-  ]
-}
-EOF
+# 6. Configure Continue (uses json_escape to prevent injection)
+setup_continue_config "${OPENROUTER_API_KEY}" \
+    "upload_file" \
+    "run_server"
 
 echo ""
 log_info "Local setup completed successfully!"