diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..0c889b9
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-23 - [Variable Quoting in Shell Scripts]
+**Vulnerability:** Unquoted variable expansion in `entrypoint.sh` caused passwords with spaces to be truncated when passed to the `adduser` function.
+**Learning:** Shell word splitting can silently corrupt data integrity, specifically credentials, leading to weaker passwords than intended. This is often overlooked in "simple" wrapper scripts.
+**Prevention:** Always quote variable expansions (`"$var"`) unless word splitting is explicitly required and understood. Use tools like `checkbashisms` or `shellcheck` (though not available here) to detect these issues.
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..4406a56 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -25,7 +25,7 @@ set -e
 
 CONFIG=/var/lib/softether/vpn_server.config
 
-if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
+if [ ! -f "$CONFIG" ] || [ ! -s "$CONFIG" ]; then
   # Generate a random PSK if not provided
   : ${PSK:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)}
 
@@ -142,11 +142,11 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
       for i in "${USER[@]}"; do
         IFS=':' read username password <<<"$i"
         # echo "Creating user: ${username}"
-        adduser $username $password
+        adduser "$username" "$password"
       done
     done <<<"$USERS"
   else
-    adduser $USERNAME $PASSWORD
+    adduser "$USERNAME" "$PASSWORD"
   fi
 
   echo
@@ -156,15 +156,17 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
 
   # handle VPNCMD_* commands right before setting admin passwords
   if [[ $VPNCMD_SERVER ]]; then
-    while IFS=";" read -ra CMD; do
+    IFS=";" read -ra COMMANDS <<<"$VPNCMD_SERVER"
+    for CMD in "${COMMANDS[@]}"; do
       vpncmd_server $CMD
-    done <<<"$VPNCMD_SERVER"
+    done
   fi
 
   if [[ $VPNCMD_HUB ]]; then
-    while IFS=";" read -ra CMD; do
+    IFS=";" read -ra COMMANDS <<<"$VPNCMD_HUB"
+    for CMD in "${COMMANDS[@]}"; do
       vpncmd_hub $CMD
-    done <<<"$VPNCMD_HUB"
+    done
   fi
 
   # set password for hub