fix(acp): preserve custom server auth env and share stripping list

rodrigouroz · rodrigouroz · commit d24f6954da7d · 2026-03-10T12:10:22.000Z
Use a shared provider auth env-var list for ACP child process scrubbing so
both the CLI ACP path and the acpx runtime strip the same credentials,
including non-_API_KEY tokens like GITHUB_TOKEN and HF_TOKEN.

Only apply provider auth env stripping on the default OpenClaw bridge path.
Explicit custom ACP servers keep their env-based auth contract.
diff --git a/extensions/acpx/src/runtime-internals/process.test.ts b/extensions/acpx/src/runtime-internals/process.test.ts
@@ -2,7 +2,7 @@ import { spawn } from "node:child_process";
 import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import path from "node:path";
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { createWindowsCmdShimFixture } from "../../../shared/windows-cmd-shim-test-fixtures.js";
 import {
   resolveSpawnCommand,
@@ -28,6 +28,7 @@ async function createTempDir(): Promise<string> {
 }
 
 afterEach(async () => {
+  vi.unstubAllEnvs();
   while (tempDirs.length > 0) {
     const dir = tempDirs.pop();
     if (!dir) {
@@ -289,4 +290,36 @@ describe("spawnAndCollect", () => {
     const result = await resultPromise;
     expect(result.error?.name).toBe("AbortError");
   });
+
+  it("strips shared provider auth env vars from spawned acpx children", async () => {
+    vi.stubEnv("OPENAI_API_KEY", "openai-secret");
+    vi.stubEnv("GITHUB_TOKEN", "gh-secret");
+    vi.stubEnv("HF_TOKEN", "hf-secret");
+    vi.stubEnv("OPENCLAW_API_KEY", "keep-me");
+
+    const result = await spawnAndCollect({
+      command: process.execPath,
+      args: [
+        "-e",
+        "process.stdout.write(JSON.stringify({openai:process.env.OPENAI_API_KEY,github:process.env.GITHUB_TOKEN,hf:process.env.HF_TOKEN,openclaw:process.env.OPENCLAW_API_KEY,shell:process.env.OPENCLAW_SHELL}))",
+      ],
+      cwd: process.cwd(),
+    });
+
+    expect(result.code).toBe(0);
+    expect(result.error).toBeNull();
+
+    const parsed = JSON.parse(result.stdout) as {
+      openai?: string;
+      github?: string;
+      hf?: string;
+      openclaw?: string;
+      shell?: string;
+    };
+    expect(parsed.openai).toBeUndefined();
+    expect(parsed.github).toBeUndefined();
+    expect(parsed.hf).toBeUndefined();
+    expect(parsed.openclaw).toBe("keep-me");
+    expect(parsed.shell).toBe("acp");
+  });
 });
diff --git a/extensions/acpx/src/runtime-internals/process.ts b/extensions/acpx/src/runtime-internals/process.ts
@@ -7,6 +7,7 @@ import type {
 } from "openclaw/plugin-sdk/acpx";
 import {
   applyWindowsSpawnProgramPolicy,
+  listKnownProviderAuthEnvVarNames,
   materializeWindowsSpawnProgram,
   resolveWindowsSpawnProgramCandidate,
 } from "openclaw/plugin-sdk/acpx";
@@ -136,16 +137,12 @@ export function spawnWithResolvedCommand(
     options,
   );
 
-  // Strip provider API keys from child environment to prevent ACP agents
-  // (e.g. Codex CLI) from inheriting credentials they shouldn't use.
-  // Without this, leaked OPENAI_API_KEY causes Codex to overwrite its
-  // OAuth config in ~/.codex/auth.json with apikey mode.
-  const childEnv: Record<string, string | undefined> = {
+  const childEnv: NodeJS.ProcessEnv = {
     ...process.env,
     OPENCLAW_SHELL: "acp",
   };
-  for (const key of Object.keys(childEnv)) {
-    if (key.endsWith("_API_KEY") && key !== "OPENCLAW_API_KEY") {
+  for (const key of listKnownProviderAuthEnvVarNames()) {
+    if (key !== "OPENCLAW_API_KEY") {
       delete childEnv[key];
     }
   }
diff --git a/src/acp/client.test.ts b/src/acp/client.test.ts
@@ -7,11 +7,10 @@ import {
   resolveAcpClientSpawnEnv,
   resolveAcpClientSpawnInvocation,
   resolvePermissionRequest,
+  shouldStripProviderAuthEnvVarsForAcpServer,
 } from "./client.js";
 import { extractAttachmentsFromPrompt, extractTextFromPrompt } from "./event-mapper.js";
 
-const envVar = (...parts: string[]) => parts.join("_");
-
 function makePermissionRequest(
   overrides: Partial<RequestPermissionRequest> = {},
 ): RequestPermissionRequest {
@@ -63,52 +62,50 @@ describe("resolveAcpClientSpawnEnv", () => {
     expect(env.OPENCLAW_SHELL).toBe("acp-client");
   });
 
-  it("strips skill-injected env keys when stripKeys is provided", () => {
-    const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY");
-    const elevenLabsApiKeyEnv = envVar("ELEVENLABS", "API", "KEY");
-    const anthropicApiKeyEnv = envVar("ANTHROPIC", "API", "KEY");
-    const stripKeys = new Set([openAiApiKeyEnv, elevenLabsApiKeyEnv]);
+  it("strips provider auth env vars for the default OpenClaw bridge", () => {
+    const stripKeys = new Set(["OPENAI_API_KEY", "GITHUB_TOKEN", "HF_TOKEN"]);
     const env = resolveAcpClientSpawnEnv(
       {
+        OPENAI_API_KEY: "openai-secret",
+        GITHUB_TOKEN: "gh-secret",
+        HF_TOKEN: "hf-secret",
+        OPENCLAW_API_KEY: "keep-me",
         PATH: "/usr/bin",
-        [openAiApiKeyEnv]: "openai-test-value", // pragma: allowlist secret
-        [elevenLabsApiKeyEnv]: "elevenlabs-test-value", // pragma: allowlist secret
-        [anthropicApiKeyEnv]: "anthropic-test-value", // pragma: allowlist secret
       },
       { stripKeys },
     );
 
+    expect(env.OPENAI_API_KEY).toBeUndefined();
+    expect(env.GITHUB_TOKEN).toBeUndefined();
+    expect(env.HF_TOKEN).toBeUndefined();
+    expect(env.OPENCLAW_API_KEY).toBe("keep-me");
     expect(env.PATH).toBe("/usr/bin");
     expect(env.OPENCLAW_SHELL).toBe("acp-client");
-    expect(env.ANTHROPIC_API_KEY).toBe("anthropic-test-value");
-    expect(env.OPENAI_API_KEY).toBeUndefined();
-    expect(env.ELEVENLABS_API_KEY).toBeUndefined();
   });
 
-  it("does not modify the original baseEnv when stripping keys", () => {
-    const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY");
-    const baseEnv: NodeJS.ProcessEnv = {
-      [openAiApiKeyEnv]: "openai-original", // pragma: allowlist secret
-      PATH: "/usr/bin",
-    };
-    const stripKeys = new Set([openAiApiKeyEnv]);
-    resolveAcpClientSpawnEnv(baseEnv, { stripKeys });
+  it("preserves provider auth env vars for explicit custom ACP servers", () => {
+    const env = resolveAcpClientSpawnEnv({
+      OPENAI_API_KEY: "openai-secret",
+      GITHUB_TOKEN: "gh-secret",
+      HF_TOKEN: "hf-secret",
+      OPENCLAW_API_KEY: "keep-me",
+    });
 
-    expect(baseEnv.OPENAI_API_KEY).toBe("openai-original");
+    expect(env.OPENAI_API_KEY).toBe("openai-secret");
+    expect(env.GITHUB_TOKEN).toBe("gh-secret");
+    expect(env.HF_TOKEN).toBe("hf-secret");
+    expect(env.OPENCLAW_API_KEY).toBe("keep-me");
+    expect(env.OPENCLAW_SHELL).toBe("acp-client");
   });
+});
 
-  it("preserves OPENCLAW_SHELL even when stripKeys contains it", () => {
-    const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY");
-    const env = resolveAcpClientSpawnEnv(
-      {
-        OPENCLAW_SHELL: "skill-overridden",
-        [openAiApiKeyEnv]: "openai-leaked", // pragma: allowlist secret
-      },
-      { stripKeys: new Set(["OPENCLAW_SHELL", openAiApiKeyEnv]) },
-    );
+describe("shouldStripProviderAuthEnvVarsForAcpServer", () => {
+  it("strips provider auth env vars for the default bridge", () => {
+    expect(shouldStripProviderAuthEnvVarsForAcpServer()).toBe(true);
+  });
 
-    expect(env.OPENCLAW_SHELL).toBe("acp-client");
-    expect(env.OPENAI_API_KEY).toBeUndefined();
+  it("preserves provider auth env vars for explicit custom ACP servers", () => {
+    expect(shouldStripProviderAuthEnvVarsForAcpServer("custom-acp-server")).toBe(false);
   });
 });
 
diff --git a/src/acp/client.ts b/src/acp/client.ts
@@ -20,6 +20,7 @@ import {
   resolveWindowsSpawnProgram,
 } from "../plugin-sdk/windows-spawn.js";
 import { DANGEROUS_ACP_TOOLS } from "../security/dangerous-tools.js";
+import { listKnownProviderAuthEnvVarNames } from "../secrets/provider-env-vars.js";
 
 const SAFE_AUTO_APPROVE_TOOL_IDS = new Set(["read", "search", "web_search", "memory_search"]);
 const TRUSTED_SAFE_TOOL_ALIASES = new Set(["search"]);
@@ -346,20 +347,25 @@ function buildServerArgs(opts: AcpClientOptions): string[] {
   return args;
 }
 
+export type AcpClientSpawnEnvOptions = {
+  stripKeys?: Iterable<string>;
+};
+
 export function resolveAcpClientSpawnEnv(
   baseEnv: NodeJS.ProcessEnv = process.env,
-  options?: { stripKeys?: ReadonlySet<string> },
+  options: AcpClientSpawnEnvOptions = {},
 ): NodeJS.ProcessEnv {
-  const env: NodeJS.ProcessEnv = { ...baseEnv };
-  if (options?.stripKeys) {
-    for (const key of options.stripKeys) {
-      delete env[key];
-    }
+  const env = { ...baseEnv, OPENCLAW_SHELL: "acp-client" };
+  for (const key of options.stripKeys ?? []) {
+    delete env[key];
   }
-  env.OPENCLAW_SHELL = "acp-client";
   return env;
 }
 
+export function shouldStripProviderAuthEnvVarsForAcpServer(serverCommand?: string): boolean {
+  return !serverCommand;
+}
+
 type AcpSpawnRuntime = {
   platform: NodeJS.Platform;
   env: NodeJS.ProcessEnv;
@@ -458,14 +464,13 @@ export async function createAcpClient(opts: AcpClientOptions = {}): Promise<AcpC
   const entryPath = resolveSelfEntryPath();
   const serverCommand = opts.serverCommand ?? (entryPath ? process.execPath : "openclaw");
   const effectiveArgs = opts.serverCommand || !entryPath ? serverArgs : [entryPath, ...serverArgs];
-  const { getActiveSkillEnvKeys } = await import("../agents/skills/env-overrides.runtime.js");
-  const { listKnownProviderEnvApiKeyNames } = await import("../agents/model-auth-env-vars.js");
-  const stripKeys = new Set(getActiveSkillEnvKeys());
-  // Strip provider API keys so they don't leak to ACP child processes.
-  // Without this, env vars like OPENAI_API_KEY cause Codex CLI to overwrite
-  // its OAuth credentials in ~/.codex/auth.json with apikey mode.
-  for (const key of listKnownProviderEnvApiKeyNames()) {
-    stripKeys.add(key);
+  const stripKeys = new Set<string>();
+  if (shouldStripProviderAuthEnvVarsForAcpServer(opts.serverCommand)) {
+    for (const key of listKnownProviderAuthEnvVarNames()) {
+      if (key !== "OPENCLAW_API_KEY") {
+        stripKeys.add(key);
+      }
+    }
   }
   const spawnEnv = resolveAcpClientSpawnEnv(process.env, { stripKeys });
   const spawnInvocation = resolveAcpClientSpawnInvocation(
diff --git a/src/plugin-sdk/acpx.ts b/src/plugin-sdk/acpx.ts
@@ -32,3 +32,4 @@ export {
   materializeWindowsSpawnProgram,
   resolveWindowsSpawnProgramCandidate,
 } from "./windows-spawn.js";
+export { listKnownProviderAuthEnvVarNames } from "../secrets/provider-env-vars.js";
diff --git a/src/plugin-sdk/subpaths.test.ts b/src/plugin-sdk/subpaths.test.ts
@@ -98,26 +98,16 @@ describe("plugin-sdk subpath exports", () => {
     expect(typeof msteamsSdk.loadOutboundMediaFromUrl).toBe("function");
   });
 
+  it("exports acpx helpers", async () => {
+    const acpxSdk = await import("openclaw/plugin-sdk/acpx");
+    expect(typeof acpxSdk.listKnownProviderAuthEnvVarNames).toBe("function");
+  });
+
   it("resolves bundled extension subpaths", async () => {
     for (const { id, load } of bundledExtensionSubpathLoaders) {
       const mod = await load();
       expect(typeof mod).toBe("object");
       expect(mod, `subpath ${id} should resolve`).toBeTruthy();
     }
   });
-
-  it("keeps the newly added bundled plugin-sdk contracts available", async () => {
-    const bluebubbles = await import("openclaw/plugin-sdk/bluebubbles");
-    expect(typeof bluebubbles.parseFiniteNumber).toBe("function");
-
-    const mattermost = await import("openclaw/plugin-sdk/mattermost");
-    expect(typeof mattermost.parseStrictPositiveInteger).toBe("function");
-
-    const nextcloudTalk = await import("openclaw/plugin-sdk/nextcloud-talk");
-    expect(typeof nextcloudTalk.waitForAbortSignal).toBe("function");
-
-    const twitch = await import("openclaw/plugin-sdk/twitch");
-    expect(typeof twitch.DEFAULT_ACCOUNT_ID).toBe("string");
-    expect(typeof twitch.normalizeAccountId).toBe("function");
-  });
 });
diff --git a/src/secrets/provider-env-vars.ts b/src/secrets/provider-env-vars.ts
@@ -25,6 +25,34 @@ export const PROVIDER_ENV_VARS: Record<string, readonly string[]> = {
   byteplus: ["BYTEPLUS_API_KEY"],
 };
 
+const EXTRA_PROVIDER_AUTH_ENV_VARS = [
+  "VOYAGE_API_KEY",
+  "GROQ_API_KEY",
+  "DEEPGRAM_API_KEY",
+  "CEREBRAS_API_KEY",
+  "NVIDIA_API_KEY",
+  "COPILOT_GITHUB_TOKEN",
+  "GH_TOKEN",
+  "GITHUB_TOKEN",
+  "ANTHROPIC_OAUTH_TOKEN",
+  "CHUTES_OAUTH_TOKEN",
+  "CHUTES_API_KEY",
+  "QWEN_OAUTH_TOKEN",
+  "QWEN_PORTAL_API_KEY",
+  "MINIMAX_OAUTH_TOKEN",
+  "OLLAMA_API_KEY",
+  "VLLM_API_KEY",
+] as const;
+
+export function listKnownProviderAuthEnvVarNames(): string[] {
+  return [
+    ...new Set([
+      ...Object.values(PROVIDER_ENV_VARS).flatMap((keys) => keys),
+      ...EXTRA_PROVIDER_AUTH_ENV_VARS,
+    ]),
+  ];
+}
+
 export function listKnownSecretEnvVarNames(): string[] {
   return [...new Set(Object.values(PROVIDER_ENV_VARS).flatMap((keys) => keys))];
 }
