refactor(api-rs): stop injecting tool placeholder env vars into sandboxes#534
Open
mslipper wants to merge 1 commit into
Open
refactor(api-rs): stop injecting tool placeholder env vars into sandboxes#534mslipper wants to merge 1 commit into
mslipper wants to merge 1 commit into
Conversation
…oxes Tool secrets never needed NAME=NAME env vars: the SDK's StubBackend already returns the key name iron-proxy matches on, and the cloudwatch tool embeds its own throwaway SigV4 credentials for boto3. Sandbox placeholder env now comes from the infra/harness fragments only, whose consumers (codex, claude, git/gh) read credentials straight from the environment. The docsend/archiver browser-use clients drop their env fallback that rejected the stub and would have returned an empty key.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tool-fragment secrets no longer contribute
NAME=NAMEplaceholder env vars to sandbox or workflow-host env. They were redundant: the SDK's StubBackend returns the key name when the env var is absent, which is exactly the placeholder value iron-proxy matches on, and the cloudwatch tool already signs with embedded throwaway SigV4 credentials so theaws_authenv seeding was dead weight. Placeholder env now comes only from the infra/harness fragments, whose consumers (codex, claude-code, git/gh, harness CLIs) read credentials directly from the environment.Also fixes the docsend and archiver browser-use clients, which rejected the stub key name and re-read the env var — they would have returned an empty key once the env var disappeared. They now trust the stub, which the proxy swaps in the query string.