Infra: block auth env vars from workspace dotenv

[jacobtomlinson]

Summary

• blocks credential and gateway auth env vars from workspace .env files
• keeps trusted state-dir .env support for the same keys

Changes

• added explicit workspace dotenv blocklist entries for Anthropic, OpenAI, and gateway auth env vars
• added regression coverage for blocked CWD .env values and allowed state-dir .env values

Validation

• ran pnpm test -- src/infra/dotenv.test.ts
• ran pnpm check
• ran local agentic review with claude -p "/review" and verified the follow-up env var names it suggested are not present in the repo

Notes

• This keeps the change explicit rather than introducing broader suffix blocking, to avoid widening workspace .env compatibility unexpectedly.

[greptile-apps]

Greptile Summary

This PR hardens the workspace .env security model by adding six credential and gateway auth env vars (ANTHROPIC_API_KEY, ANTHROPIC_OAUTH_TOKEN, OPENAI_API_KEY, OPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_PASSWORD, OPENCLAW_GATEWAY_SECRET) to the explicit BLOCKED_WORKSPACE_DOTENV_KEYS set in dotenv.ts, preventing them from being injected via a project-level .env file while preserving the ability to set them from the trusted state-dir .env.

• src/infra/dotenv.ts: Six credential/auth keys added to the BLOCKED_WORKSPACE_DOTENV_KEYS set, alphabetically ordered and consistent with existing entries.
• src/infra/dotenv.test.ts: Two new regression tests added — one verifying all six new keys are blocked via loadWorkspaceDotEnvFile, and another confirming they are still settable via the trusted global (state-dir) path through loadDotEnv.
• The design is intentionally explicit rather than suffix-based (e.g. *_API_KEY), in line with the project's conservative approach to .env compatibility.

Confidence Score: 5/5

Safe to merge — targeted blocklist addition with complete regression coverage and no observable side-effects on the trusted global path.

All changes are additive (entries to an existing Set), the logic path is straightforward, tests cover both the new block assertions and the allowed-state-dir path, and no P1/P0 issues were found.

No files require special attention.

Important Files Changed

Filename	Overview
src/infra/dotenv.ts	Six credential/auth keys added to BLOCKED_WORKSPACE_DOTENV_KEYS set, alphabetically ordered and consistent with existing entries.
src/infra/dotenv.test.ts	Two new regression tests added covering both the block (CWD path) and allow (state-dir path) scenarios for the six new keys.

_{Reviews (1): Last reviewed commit: "Infra: block auth env vars from workspac..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8407378e42

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Untrusted workspace .env can inject many provider API tokens not covered by dotenv blocklist

1. 🟡 Untrusted workspace .env can inject many provider API tokens not covered by dotenv blocklist

Property	Value
Severity	Medium
CWE	CWE-1032
Location	src/infra/dotenv.ts:11-47

Description

loadWorkspaceDotEnvFile() treats the current working directory .env as untrusted (it already blocks proxy vars, gateway auth, and *_BASE_URL to prevent endpoint redirection). However, the workspace blocklist only includes a small subset of credential variables (Anthropic/OpenAI + gateway), leaving many other secret-bearing env vars still settable from an untrusted repo/workspace.

Impact:

• A malicious repository can ship a .env that sets other provider credentials such as GITHUB_TOKEN, GH_TOKEN, OPENROUTER_API_KEY, TAVILY_API_KEY, etc.
• The application resolves provider auth from environment variables (see src/secrets/provider-env-vars.ts which enumerates known secret/auth env var names), so these injected values can be used at runtime.
• This can lead to data exfiltration to attacker-controlled third-party accounts (prompts/queries sent to external APIs under attacker keys) or unintended authentication context.

Vulnerable code (workspace dotenv filtering is incomplete):

return (
  shouldBlockRuntimeDotEnvKey(upper) ||
  BLOCKED_WORKSPACE_DOTENV_KEYS.has(upper) ||
  BLOCKED_WORKSPACE_DOTENV_PREFIXES.some((prefix) => upper.startsWith(prefix)) ||
  BLOCKED_WORKSPACE_DOTENV_SUFFIXES.some((suffix) => upper.endsWith(suffix))
);

Recommendation

Extend the workspace .env denylist to cover all env vars that the application may treat as secrets/credentials, not just OpenAI/Anthropic.

Suggested approach:

1. Centralize the list of secret/auth env var names (e.g., from listKnownSecretEnvVarNames() / listKnownProviderAuthEnvVarNames() in src/secrets/provider-env-vars.ts).
2. Block those names (and optionally provider-specific prefixes) when loading workspace .env.

Example:

​// dotenv.ts
import { listKnownSecretEnvVarNames } from "../secrets/provider-env-vars.js";

const BLOCKED_WORKSPACE_DOTENV_KEYS = new Set([
  ...existingBlockedKeys,
  ...listKnownSecretEnvVarNames().map((k) => k.toUpperCase()),
]);

Also add tests that assert representative non-OpenAI/Anthropic secret env vars (e.g., GITHUB_TOKEN, OPENROUTER_API_KEY) are not set from CWD .env but may be set from the trusted global .env if that is intended.

---

Analyzed PR: #57767 at commit 300fcf0

_{Last updated on: 2026-03-30T15:43:58Z}

Latest run failed. Keeping previous successful results. Trace ID: 019d3f7941fbc1b8163a6820292856ff.

_{Last updated on: 2026-03-30T16:22:26Z}

[jacobtomlinson]

Follow-up pushed on top of the rebased branch. The workspace dotenv filter now also blocks OPENAI_API_KEYS, OPENAI_API_KEY_*, and ANTHROPIC_API_KEY_*, with matching regression coverage for both blocked workspace .env values and allowed state-dir .env values.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 300fcf0474

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[jacobtomlinson]

Addressed the remaining review feedback on workspace dotenv credential injection. The latest commit blocks the OPENCLAW_LIVE_* provider auth vars from repo-controlled .env files as well, while keeping the trusted state-dir .env behavior unchanged. Local validation: pnpm test -- src/infra/dotenv.test.ts and pnpm check.

[jacobtomlinson]

Addressed the remaining review feedback on workspace dotenv credential injection. The latest commit blocks the provider auth vars from repo-controlled files as well, while keeping the trusted state-dir behavior unchanged. Local validation:

openclaw@2026.3.30 test /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
node scripts/test-parallel.mjs -- src/infra/dotenv.test.ts

[test-parallel] start unit workers=6 filters=1

RUN v4.1.2 /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132

Test Files 1 passed (1)
Tests 12 passed (12)
Start at 16:00:30
Duration 3.75s (transform 486ms, setup 3.56s, import 9ms, tests 33ms, environment 0ms)

[test-parallel] done unit code=0 elapsed=4.6s
[test-parallel] summary failurePolicy=fail-fast failedUnits=0 failedTestFiles=0 infraFailures=0 and

openclaw@2026.3.30 check /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
pnpm check:no-conflict-markers && pnpm check:host-env-policy:swift && pnpm tsgo && pnpm lint && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope

openclaw@2026.3.30 check:no-conflict-markers /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
node scripts/check-no-conflict-markers.mjs

openclaw@2026.3.30 check:host-env-policy:swift /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
node scripts/generate-host-env-security-policy-swift.mjs --check

OK apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift

openclaw@2026.3.30 lint /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
oxlint --type-aware

Found 0 warnings and 0 errors.
Finished in 9.1s on 5804 files using 64 threads.

openclaw@2026.3.30 lint:webhook:no-low-level-body-read /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
node scripts/check-webhook-auth-body-order.mjs

openclaw@2026.3.30 lint:auth:no-pairing-store-group /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
node scripts/check-no-pairing-store-group-auth.mjs

openclaw@2026.3.30 lint:auth:pairing-account-scope /home/ubuntu/Projects/openclaw/openclaw/.worktrees/fix/fix-132
node scripts/check-pairing-account-scope.mjs.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ca20f0c0c0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Block Google API key vars from workspace dotenv

The new workspace dotenv hardening still allows Google credentials to be injected from a repo-controlled .env: BLOCKED_WORKSPACE_DOTENV_PREFIXES only covers Anthropic/OpenAI, and the blocked key set also omits GEMINI_API_KEY, GEMINI_API_KEYS, and GOOGLE_API_KEY. Those variables are consumed by runtime key collection (collectProviderApiKeys in src/agents/live-auth-keys.ts) and then used for execution (collectProviderApiKeysForExecution in src/agents/api-key-rotation.ts and src/media-understanding/runner.entries.ts), so untrusted workspaces can still supply Google provider auth despite this commit’s credential-blocking intent.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ca20f0c0c0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Block Google API key vars from workspace dotenv

The new workspace dotenv hardening still allows Google credentials to be injected from a repo-controlled .env: BLOCKED_WORKSPACE_DOTENV_PREFIXES only covers Anthropic/OpenAI, and the blocked key set also omits GEMINI_API_KEY, GEMINI_API_KEYS, and GOOGLE_API_KEY. Those variables are consumed by runtime key collection (collectProviderApiKeys in src/agents/live-auth-keys.ts) and then used for execution (collectProviderApiKeysForExecution in src/agents/api-key-rotation.ts and src/media-understanding/runner.entries.ts), so untrusted workspaces can still supply Google provider auth despite this commit’s credential-blocking intent.

Useful? React with 👍 / 👎.