- Fix incorrect filename reference from setting.json to settings.json in backend.go
- Update corresponding test fixtures to use correct filename
- Bump version from 5.2.7 to 5.2.8
Generated with SWE-Agent.ai
Co-Authored-By: SWE-Agent.ai <noreply@swe-agent.ai>
* fix: allow claude backend to read env from setting.json while preventing recursion
Fixes#89
Problem:
- --setting-sources "" prevents claude from reading ~/.claude/setting.json env
- Removing it causes infinite recursion via skills/commands/agents loading
Solution:
- Keep --setting-sources "" to block all config sources
- Add loadMinimalEnvSettings() to extract only env from setting.json
- Pass env explicitly via --settings parameter
- Update tests to validate dynamic --settings parameter
Benefits:
- Claude backend can access ANTHROPIC_API_KEY and other env vars
- Skills/commands/agents remain blocked, preventing recursion
- Graceful degradation if setting.json doesn't exist
Generated with SWE-Agent.ai
Co-Authored-By: SWE-Agent.ai <noreply@swe-agent.ai>
* security: pass env via process environment instead of command line
Critical security fix for issue #89:
- Prevents ANTHROPIC_API_KEY leakage in process command line (ps)
- Prevents sensitive values from being logged in wrapper logs
Changes:
1. executor.go:
- Add SetEnv() method to commandRunner interface
- realCmd merges env with os.Environ() and sets to cmd.Env
- All test mocks implement SetEnv()
2. backend.go:
- Change loadMinimalEnvSettings() to return map[string]string
- Use os.UserHomeDir() instead of os.Getenv("HOME")
- Add 1MB file size limit check
- Only accept string values in env (reject non-strings)
- Remove --settings parameter (no longer in command line)
3. Tests:
- Add loadMinimalEnvSettings() unit tests
- Remove --settings validation (no longer in args)
- All test mocks implement SetEnv()
Security improvements:
- No sensitive values in argv (safe from ps/logs)
- Type-safe env parsing (string-only)
- File size limit prevents memory issues
- Graceful degradation if setting.json missing
Tests: All pass (30.912s)
Generated with SWE-Agent.ai
Co-Authored-By: SWE-Agent.ai <noreply@swe-agent.ai>
---------
Co-authored-by: SWE-Agent.ai <noreply@swe-agent.ai>
