From f37e228cc25bab29ebb9a343cacbd3649160c977 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Wed, 20 May 2026 17:22:02 +0200
Subject: [PATCH] Replace magic env-var and subcommand strings with named
 constants

---
 client/vnc/server/agent_darwin.go  |  4 ++--
 client/vnc/server/agent_ipc.go     |  5 +++++
 client/vnc/server/agent_windows.go |  2 +-
 client/vnc/server/capture_x11.go   | 30 +++++++++++++++++++-----------
 client/vnc/server/input_x11.go     |  8 ++++----
 client/vnc/server/virtual_x11.go   |  4 ++--
 6 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/client/vnc/server/agent_darwin.go b/client/vnc/server/agent_darwin.go
index c4aa94234..31adad5b9 100644
--- a/client/vnc/server/agent_darwin.go
+++ b/client/vnc/server/agent_darwin.go
@@ -172,7 +172,7 @@ func spawnAgentForUser(uid uint32, port uint16, token string) error {
 	}
 	cmd := exec.Command(
 		"/bin/launchctl", "asuser", strconv.FormatUint(uint64(uid), 10),
-		exe, "vnc-agent", "--port", strconv.FormatUint(uint64(port), 10),
+		exe, vncAgentSubcommand, "--port", strconv.FormatUint(uint64(port), 10),
 	)
 	cmd.Env = append(os.Environ(), agentTokenEnvVar+"="+token)
 	stderr, err := cmd.StderrPipe()
@@ -323,7 +323,7 @@ func argvIsVNCAgent(argv []string, ownBase string) bool {
 		return false
 	}
 	for _, a := range argv[1:] {
-		if a == "vnc-agent" {
+		if a == vncAgentSubcommand {
 			return true
 		}
 	}
diff --git a/client/vnc/server/agent_ipc.go b/client/vnc/server/agent_ipc.go
index 425300772..bc1eab62f 100644
--- a/client/vnc/server/agent_ipc.go
+++ b/client/vnc/server/agent_ipc.go
@@ -31,6 +31,11 @@ const (
 	// like this keep the secret out of the command line, where listings
 	// such as `ps` or Windows tasklist would expose it.
 	agentTokenEnvVar = "NB_VNC_AGENT_TOKEN" // #nosec G101 -- env var name, not a credential
+
+	// vncAgentSubcommand is the CLI subcommand the daemon invokes to start
+	// the per-session agent process. Must match cmd.vncAgentCmd.Use in
+	// client/cmd/vnc_agent.go.
+	vncAgentSubcommand = "vnc-agent"
 )
 
 // generateAuthToken returns a fresh hex-encoded random token for one
diff --git a/client/vnc/server/agent_windows.go b/client/vnc/server/agent_windows.go
index dfae07272..0e27212e4 100644
--- a/client/vnc/server/agent_windows.go
+++ b/client/vnc/server/agent_windows.go
@@ -352,7 +352,7 @@ func spawnAgentInSession(sessionID uint32, port uint16, authToken string, jobHan
 		return 0, fmt.Errorf("get executable path: %w", err)
 	}
 
-	cmdLine := fmt.Sprintf(`"%s" vnc-agent --port %d`, exePath, port)
+	cmdLine := fmt.Sprintf(`"%s" %s --port %d`, exePath, vncAgentSubcommand, port)
 	cmdLineW, err := windows.UTF16PtrFromString(cmdLine)
 	if err != nil {
 		return 0, fmt.Errorf("UTF16 cmdline: %w", err)
diff --git a/client/vnc/server/capture_x11.go b/client/vnc/server/capture_x11.go
index fb28d9a12..c7634bc2e 100644
--- a/client/vnc/server/capture_x11.go
+++ b/client/vnc/server/capture_x11.go
@@ -19,11 +19,19 @@ import (
 	"github.com/jezek/xgb/xproto"
 )
 
-// x11SocketDir is the well-known directory where X servers create their
-// abstract UNIX-domain sockets, named "X<display>". Used both for
-// auto-detecting an existing display and for placing/probing sockets of
-// virtual sessions we spawn.
-const x11SocketDir = "/tmp/.X11-unix"
+const (
+	// x11SocketDir is the well-known directory where X servers create
+	// their abstract UNIX-domain sockets, named "X<display>". Used both
+	// for auto-detecting an existing display and for placing/probing
+	// sockets of virtual sessions we spawn.
+	x11SocketDir = "/tmp/.X11-unix"
+
+	// envDisplay is the X11 display selector environment variable.
+	envDisplay = "DISPLAY"
+	// envXAuthority points X clients at the cookie file used to
+	// authenticate against the running X server.
+	envXAuthority = "XAUTHORITY"
+)
 
 // X11Capturer captures the screen from an X11 display using the MIT-SHM extension.
 type X11Capturer struct {
@@ -52,7 +60,7 @@ type X11Capturer struct {
 // environment variables if needed. This is required when running as a system
 // service where these vars aren't set.
 func detectX11Display() {
-	if os.Getenv("DISPLAY") != "" {
+	if os.Getenv(envDisplay) != "" {
 		return
 	}
 
@@ -115,10 +123,10 @@ func detectX11FromSockets() bool {
 		return false
 	}
 	display := ":" + strconv.Itoa(minDisplay)
-	os.Setenv("DISPLAY", display)
+	os.Setenv(envDisplay, display)
 	auth := findXorgAuthFromPS()
 	if auth != "" {
-		os.Setenv("XAUTHORITY", auth)
+		os.Setenv(envXAuthority, auth)
 		log.Infof("auto-detected DISPLAY=%s (from socket) XAUTHORITY=%s (from ps)", display, auth)
 	} else {
 		log.Infof("auto-detected DISPLAY=%s (from socket)", display)
@@ -167,9 +175,9 @@ func parseXorgArgs(args []string) (display, auth string) {
 }
 
 func setDisplayEnv(display, auth string) {
-	os.Setenv("DISPLAY", display)
+	os.Setenv(envDisplay, display)
 	if auth != "" {
-		os.Setenv("XAUTHORITY", auth)
+		os.Setenv(envXAuthority, auth)
 		log.Infof("auto-detected DISPLAY=%s XAUTHORITY=%s", display, auth)
 		return
 	}
@@ -205,7 +213,7 @@ func splitNull(data []byte) [][]byte {
 func NewX11Capturer(display string) (*X11Capturer, error) {
 	if display == "" {
 		detectX11Display()
-		display = os.Getenv("DISPLAY")
+		display = os.Getenv(envDisplay)
 	}
 	if display == "" {
 		return nil, fmt.Errorf("DISPLAY not set and no Xorg process found")
diff --git a/client/vnc/server/input_x11.go b/client/vnc/server/input_x11.go
index a904a3a90..ed44aff93 100644
--- a/client/vnc/server/input_x11.go
+++ b/client/vnc/server/input_x11.go
@@ -32,7 +32,7 @@ func NewX11InputInjector(display string) (*X11InputInjector, error) {
 	detectX11Display()
 
 	if display == "" {
-		display = os.Getenv("DISPLAY")
+		display = os.Getenv(envDisplay)
 	}
 	if display == "" {
 		return nil, fmt.Errorf("DISPLAY not set and no Xorg process found")
@@ -296,9 +296,9 @@ func (x *X11InputInjector) GetClipboard() string {
 }
 
 func (x *X11InputInjector) clipboardEnv() []string {
-	env := []string{"DISPLAY=" + x.display}
-	if auth := os.Getenv("XAUTHORITY"); auth != "" {
-		env = append(env, "XAUTHORITY="+auth)
+	env := []string{envDisplay + "=" + x.display}
+	if auth := os.Getenv(envXAuthority); auth != "" {
+		env = append(env, envXAuthority+"="+auth)
 	}
 	return env
 }
diff --git a/client/vnc/server/virtual_x11.go b/client/vnc/server/virtual_x11.go
index 2d3f1cbc7..0a764fca5 100644
--- a/client/vnc/server/virtual_x11.go
+++ b/client/vnc/server/virtual_x11.go
@@ -126,7 +126,7 @@ func (vs *VirtualSession) start() error {
 
 	// Grant the target user access to the display via xhost.
 	xhostCmd := exec.Command("xhost", "+SI:localuser:"+vs.user.Username)
-	xhostCmd.Env = []string{"DISPLAY=" + vs.display}
+	xhostCmd.Env = []string{envDisplay + "=" + vs.display}
 	if out, err := xhostCmd.CombinedOutput(); err != nil {
 		vs.log.Debugf("xhost: %s (%v)", strings.TrimSpace(string(out)), err)
 	}
@@ -447,7 +447,7 @@ func (vs *VirtualSession) stopDesktop() {
 
 func (vs *VirtualSession) buildUserEnv() []string {
 	return []string{
-		"DISPLAY=" + vs.display,
+		envDisplay + "=" + vs.display,
 		"HOME=" + vs.user.HomeDir,
 		"USER=" + vs.user.Username,
 		"LOGNAME=" + vs.user.Username,