fix(cli): fix secure_getenv() bypass of one-shot token protection

[Mossaka]

Summary

• Fix critical bug where secure_getenv() in the C one-shot-token library bypassed all token protection when called before getenv()
• secure_getenv() was calling get_token_index() before init_token_list() and without the mutex, so the empty token list always returned -1 (not sensitive), passing raw token values through
• Added initialization, mutex acquisition, and recursion guard to secure_getenv() matching the correct getenv() implementation

Fixes #756

Test plan

• npm run build passes
• npm test passes (856 tests)
• npm run lint passes
• Rust implementation already correct (uses shared handle_getenv_impl)
• CI integration tests pass (one-shot-tokens.test.ts)

🤖 Generated with Claude Code

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.50%	82.64%	📈 +0.14%
Statements	82.50%	82.63%	📈 +0.13%
Functions	82.69%	82.69%	➡️ +0.00%
Branches	74.78%	74.87%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.0% → 84.5% (+0.54%)	83.3% → 83.8% (+0.52%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR fixes a critical security flaw in the agent’s one-shot-token LD_PRELOAD library where secure_getenv() could bypass token protection if invoked before getenv(), ensuring sensitive environment variables are still cached/unset on first access.

Changes:

• Add mutex acquisition and init_token_list() initialization to secure_getenv() before calling get_token_index().
• Add the same thread-local recursion guard behavior to secure_getenv() that getenv() already uses, preventing re-entrant deadlocks.
• Ensure the non-sensitive path releases the mutex and clears the recursion guard before returning.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Smoke Test Results

Recent merged PRs:

• test: expand credential hiding tests to all 14 protected paths #1163: test: expand credential hiding tests to all 14 protected paths
• test(docker): verify capsh execution chain after PR #715 #1240: test(docker): verify capsh execution chain after PR fix: eliminate nested bash layer in chroot command execution for Java/.NET #715

Test	Result
GitHub MCP (list merged PRs)	✅
Playwright (github.com title)	✅
File write	✅
Bash verify	✅

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1244

[github-actions]

Smoke Test Results

✅ GitHub MCP — Last 2 merged PRs:

• test(docker): verify capsh execution chain after PR #715 #1240: test(docker): verify capsh execution chain after PR #715 by @Mossaka
• fix(cli): clear LD_PRELOAD after one-shot-token library loads #1232: fix(cli): clear LD_PRELOAD after one-shot-token library loads by @Mossaka

✅ Playwright — github.com title contains "GitHub"
✅ File Write — /tmp/gh-aw/agent/smoke-test-copilot-22968955590.txt created and verified
✅ Bash — File read back successfully

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1244

[github-actions]

PR titles:
test: expand credential hiding tests to all 14 protected paths
test(docker): verify capsh execution chain after PR #715
Tests: MCP ✅ | safeinputs-gh ✅ | Playwright ✅ | Tavily ❌ | File+cat ✅ | Discussion ✅ | Build ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1244

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1244