diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..a26a8a6
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-05-23 - Shell Script Variable Quoting and Globbing
+**Vulnerability:** Found unquoted variables in `adduser` loop allowing password truncation/corruption (spaces/globs), and `VPNCMD_*` command processing vulnerable to glob injection and logic error (ignoring subsequent commands).
+**Learning:** In bash, unquoted variables are subject to word splitting and glob expansion. `read` without `-r` interprets backslashes. Loops over `read` output need careful logic to ensure all input is processed.
+**Prevention:** Always quote variables (`"$var"`) unless word splitting is explicitly intended. Use `read -r`. Use `set -f` when relying on word splitting but wanting to avoid globbing. Verify loop logic for multi-line/delimiter processing.
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..7eb0393 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -140,13 +140,13 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
   if [[ $USERS ]]; then
     while IFS=';' read -ra USER; do
       for i in "${USER[@]}"; do
-        IFS=':' read username password <<<"$i"
+        IFS=':' read -r username password <<<"$i"
         # echo "Creating user: ${username}"
-        adduser $username $password
+        adduser "$username" "$password"
       done
     done <<<"$USERS"
   else
-    adduser $USERNAME $PASSWORD
+    adduser "$USERNAME" "$PASSWORD"
   fi
 
   echo
@@ -156,15 +156,21 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
 
   # handle VPNCMD_* commands right before setting admin passwords
   if [[ $VPNCMD_SERVER ]]; then
-    while IFS=";" read -ra CMD; do
-      vpncmd_server $CMD
-    done <<<"$VPNCMD_SERVER"
+    set -f
+    IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER"
+    for cmd in "${CMDS[@]}"; do
+      vpncmd_server $cmd
+    done
+    set +f
   fi
 
   if [[ $VPNCMD_HUB ]]; then
-    while IFS=";" read -ra CMD; do
-      vpncmd_hub $CMD
-    done <<<"$VPNCMD_HUB"
+    set -f
+    IFS=";" read -ra CMDS <<<"$VPNCMD_HUB"
+    for cmd in "${CMDS[@]}"; do
+      vpncmd_hub $cmd
+    done
+    set +f
   fi
 
   # set password for hub