feat: add [agent].inherit_env for selective env var inheritance#700
Merged
feat: add [agent].inherit_env for selective env var inheritance#700
Conversation
github-actions
Bot
added
pending-screening
|
All PRs must reference a prior Discord discussion to ensure community alignment before implementation. Please edit the PR description to include a link like: This PR will be automatically closed in 3 days if the link is not added. |
chaodu-agent
force-pushed
the
feat/agent-inherit-env
branch
4 times, most recently
from
db1e938 to
ff69838
Compare
thepagent
previously approved these changes
May 2, 2026
Adds an optional inherit_env config that allows specific env vars from the OAB process to be passed through to the agent subprocess. This supports Kubernetes envFrom workflows where env vars are injected into the pod but need to reach the agent. - env_clear() security default unchanged - [agent].env explicit values take precedence over inherited ones - Inherited keys logged in the existing security warning - Helm chart template renders inherit_env as TOML array - config.toml.example updated with documentation Closes #699
chaodu-agent
force-pushed
the
feat/agent-inherit-env
branch
from
ff69838 to
2899860
Compare
Collaborator
Author
✅ E2E validation on zf cluster — all tests passedInfrastructure-level validationDeployed Test results
Helm values usedagents:
codex:
image: ghcr.io/openabdev/openab:pr700
command: codex-acp
inheritEnv: [OAB_TEST_VAR, NONEXISTENT_VAR]
envFrom:
- configMapRef:
name: test-env # OAB_TEST_VAR=hello-from-k8s
env:
OAB_TEST_VAR: "explicit-wins" # precedence testFull reproduction steps
|
thepagent
approved these changes
May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this solve?
PR #670 added
env_clear()to prevent OAB credentials from leaking to the agent subprocess. This is the correct security default, but it broke workflows where users inject env vars via KubernetesenvFrom(ConfigMap/Secret) and expect them to reach the agent.Currently, the only way to pass those vars is to re-declare each one in
[agent].envasKEY = "${KEY}", which is tedious and defeats the purpose ofenvFrom.Proposed Solution
New optional config
[agent].inherit_env— an allow list of env var names to inherit from the OAB process:Behavior
env_clear()remains — security default unchangedHOME,PATH,USERstill passed as baselineenv— explicit key=value pairs (existing, unchanged)inherit_env— reads named vars from OAB process env and passes them if presentenvandinherit_env,envwins (explicit takes precedence)Helm usage
Changes
src/config.rsinherit_env: Vec<String>toAgentConfigsrc/acp/connection.rsinherit_envparam, copy matching vars afterenv_clear()src/acp/pool.rsinherit_envtospawn()charts/openab/templates/configmap.yamlinherit_envas TOML arrayconfig.toml.exampleWhat was tested
env_clear()flowCloses #699