Greptile Summary

This PR makes a well-scoped, strictly additive security improvement by blocking five env-injection vectors (JAVA_TOOL_OPTIONS, _JAVA_OPTIONS, JDK_JAVA_OPTIONS, PYTHONBREAKPOINT, DOTNET_STARTUP_HOOKS) from the host exec sandbox. The implementation is consistent across the JSON policy file and the regenerated Swift file, and the tests now correctly cover all five new entries with both uppercase and lowercase assertions.

Key observations:

• All 5 new blockedKeys entries are correctly mirrored in HostEnvSecurityPolicy.generated.swift — no drift between sources.
• Test coverage is thorough: each new variable is tested case-insensitively, fully addressing the gap noted in the previous review thread.
• One gap worth noting: DOTNET_STARTUP_HOOKS (managed code) is now blocked, but the .NET CLR profiler API (CORECLR_ENABLE_PROFILING, CORECLR_PROFILER, CORECLR_PROFILER_PATH) provides a native-code injection path into .NET processes that is not covered by the existing LD_ prefix block and is absent from blockedKeys. This is outside the stated scope of this PR but worth a follow-up.

Confidence Score: 5/5

• This PR is safe to merge — changes are strictly additive, correctly implemented, and well tested.
• All five new blockedKeys entries are consistent between the JSON policy and the generated Swift file. Tests cover all new entries with case-insensitive variants. No existing entries are removed or modified. The only observation is a missing CORECLR_* trio for full .NET native profiler coverage, which is outside this PR's stated scope and appropriate for a follow-up.
• No files require special attention.

This is a comment left during a code review.
Path: src/infra/host-env-security-policy.json
Line: 25

Comment:
**Missing .NET CLR profiler injection trio**

`DOTNET_STARTUP_HOOKS` is now blocked (managed code injection), but the CLR profiler API is a parallel native-code injection vector that isn't caught by the existing `LD_` prefix block:

| Variable | Role |
|---|---|
| `CORECLR_ENABLE_PROFILING` | Activates the profiler (`1` enables it) |
| `CORECLR_PROFILER` | CLSID of the profiler COM object |
| `CORECLR_PROFILER_PATH` / `CORECLR_PROFILER_PATH_64` | Path to the native profiler `.so`/`.dll` loaded before `Main()` |

Setting all three causes the .NET runtime to `dlopen` an arbitrary native library before any managed code runs — functionally equivalent to `LD_PRELOAD` but not covered by the `LD_` prefix block. If the goal is comprehensive .NET env injection coverage, consider adding these to `blockedKeys` (and mirroring in the generated Swift file).

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 7f8400b}

Regression risk note

These vars go into blockedKeys (stripped from inherited env AND user overrides), consistent with existing entries like NODE_OPTIONS and PYTHONPATH.

If someone runs their gateway on a host with JAVA_TOOL_OPTIONS=-javaagent:/opt/datadog/dd-java-agent.jar for APM, agent-spawned Java commands will silently lose the APM agent. Same pattern already accepted for NODE_OPTIONS (JVM monitoring) and PYTHONPATH (custom import paths).

In practice the overlap between "openclaw gateway host" and "JVM APM via env vars" is very small, and the security benefit (blocking -javaagent injection) outweighs the convenience loss.