Gap Source

Claude Code v2.1.x (March 2026) added CLAUDE_CODE_SUBPROCESS_ENV_SCRUB opt-in credential scrubbing. Competitive parity scan CI-307.

What Is Missing

Zeph's ShellExecutor inherits the full parent process environment when spawning shell commands. Any API key or secret that ends up in the process environment (despite vault-only policy) would be inherited by child processes.

Why It Matters

Defense-in-depth: even though Zeph's vault-only policy means production keys should never be in env, there are paths where this can happen:

• RUST_LOG, HOME, PATH are benign, but the full env may contain credentials set by the user's shell profile before launching Zeph
• Shell tools executed by the agent (arbitrary user commands) could exfiltrate env vars to external endpoints

Relationship to #2437

Issue #2437 (env var blocklist) blocks environment variable overrides into Zeph's config. This issue is about scrubbing credentials out of subprocess environments — complementary, not duplicate.

Implementation Sketch

• In ShellExecutor, build a sanitized env map: start from explicit allowlist (PATH, HOME, TMPDIR, LANG, TERM) or strip known secret patterns (ZEPH_*, *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD)
• Config: [tools.shell] scrub_env = true (default true in prod, false for dev)
• Align with fix(security): extend MCP env var blocklist with PATH, proxy, and language-specific vars #2437's blocklist for consistency

Priority

P2 — defense-in-depth security gap. Relatively low implementation cost.