Background
While reviewing Claude Code's environment-variable surface, two candidates came up
for the agents/claude/audit.sh adapter:
CLAUDE_CODE_SUBPROCESS_ENV_SCRUBCLAUDE_CODE_SUBPROCESS_ENV_ALLOWLIST
What we verified
Verbatim check against https://code.claude.com/docs/en/env-vars:
-
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB — referenced in the docs only as a
precondition inside the CLAUDE_CODE_SCRIPT_CAPS entry. No dedicated entry,
no documented default, no documented format. Implied semantics: when set, it
scrubs sensitive env vars before spawning Bash/tmux subprocesses, and is
required for CLAUDE_CODE_SCRIPT_CAPS to take effect.
-
CLAUDE_CODE_SUBPROCESS_ENV_ALLOWLIST — not present in the docs.
No evidence it exists; treat as not-real until proven otherwise.
-
CLAUDE_CODE_SCRIPT_CAPS — fully documented. JSON object, substring
matching against command text, integer per-session caps. Only effective when
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set. Does not detect xargs /
find -exec fan-out.
Why this matters for sandshell
Both env-scrubbing and script-caps fit the defense-in-depth posture sandshell
already enforces (deny-disable flag, sandbox enabled, Bash guard hooks).
Without scrubbing, API credentials in the parent shell flow into every
subprocess sandshell spawns — partially undermining the audit-trail and
guard-hook layers.
Blockers before adding audit checks
- Confirm
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB default value (on or off?).
- Confirm exact semantics: which env vars get stripped, in which subprocess
types (Bash tool, hook scripts, MCP stdio servers).
- Decide where to surface findings: env-var posture is process-state, not
config-file state — does it fit the NDJSON adapter contract cleanly?
Suggested next steps
- File an upstream docs request for a first-class entry on
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB.
- Once semantics are pinned down, add
cc.subprocess.env_scrub (info) and
possibly cc.subprocess.script_caps (info) findings to
agents/claude/audit.sh.
Background
While reviewing Claude Code's environment-variable surface, two candidates came up
for the
agents/claude/audit.shadapter:CLAUDE_CODE_SUBPROCESS_ENV_SCRUBCLAUDE_CODE_SUBPROCESS_ENV_ALLOWLISTWhat we verified
Verbatim check against https://code.claude.com/docs/en/env-vars:
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB— referenced in the docs only as aprecondition inside the
CLAUDE_CODE_SCRIPT_CAPSentry. No dedicated entry,no documented default, no documented format. Implied semantics: when set, it
scrubs sensitive env vars before spawning Bash/tmux subprocesses, and is
required for
CLAUDE_CODE_SCRIPT_CAPSto take effect.CLAUDE_CODE_SUBPROCESS_ENV_ALLOWLIST— not present in the docs.No evidence it exists; treat as not-real until proven otherwise.
CLAUDE_CODE_SCRIPT_CAPS— fully documented. JSON object, substringmatching against command text, integer per-session caps. Only effective when
CLAUDE_CODE_SUBPROCESS_ENV_SCRUBis set. Does not detectxargs/find -execfan-out.Why this matters for sandshell
Both env-scrubbing and script-caps fit the defense-in-depth posture sandshell
already enforces (deny-disable flag, sandbox enabled, Bash guard hooks).
Without scrubbing, API credentials in the parent shell flow into every
subprocess sandshell spawns — partially undermining the audit-trail and
guard-hook layers.
Blockers before adding audit checks
CLAUDE_CODE_SUBPROCESS_ENV_SCRUBdefault value (on or off?).types (Bash tool, hook scripts, MCP stdio servers).
config-file state — does it fit the NDJSON adapter contract cleanly?
Suggested next steps
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB.cc.subprocess.env_scrub(info) andpossibly
cc.subprocess.script_caps(info) findings toagents/claude/audit.sh.