From 42dfc36da50ad81c3fb2fef64e7849e6bbda8283 Mon Sep 17 00:00:00 2001
From: Pavan Kumar Gondhi <pgondhi@nvidia.com>
Date: Sat, 2 May 2026 14:17:42 +0530
Subject: [PATCH] fix(infra): block workspace state-directory env override [AI]
 (#75940)

* fix: block workspace state directory env override

* docs: add changelog entry for PR merge
---
 CHANGELOG.md             |  1 +
 src/infra/dotenv.test.ts | 11 +++++++++--
 src/infra/dotenv.ts      |  1 +
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 09f2ebb487e..c460a2195c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- fix(infra): block workspace state-directory env override [AI]. (#75940) Thanks @pgondhi987.
 - TTS: honor explicit short `[[tts:text]]...[[/tts:text]]` blocks while keeping untagged short auto-TTS suppressed, so tagged voice replies are synthesized instead of being dropped as empty voice-only payloads. Fixes #73758. Thanks @yfge.
 - Proxy/audio: convert standard `FormData` bodies before proxy-backed undici fetches, so audio transcription and multipart uploads no longer send `[object FormData]` when `HTTP_PROXY` or `HTTPS_PROXY` is configured. Fixes #48554. Thanks @dco5.
 - Gateway/diagnostics: include a bounded redacted startup error message in stability bundles, so crash-loop reports identify the failing plugin or contract without exposing secrets. Refs #75797. Thanks @ymebosma.
diff --git a/src/infra/dotenv.test.ts b/src/infra/dotenv.test.ts
index 95b2fd574a6..a2f364bfd41 100644
--- a/src/infra/dotenv.test.ts
+++ b/src/infra/dotenv.test.ts
@@ -299,20 +299,26 @@ describe("loadDotEnv", () => {
     });
   });
 
-  it("blocks OPENCLAW_STATE_DIR from workspace .env even when unset in process env", async () => {
+  it("blocks state-directory controls from workspace .env even when unset in process env", async () => {
     await withIsolatedEnvAndCwd(async () => {
       await withDotEnvFixture(async ({ cwdDir }) => {
         await writeEnvFile(
           path.join(cwdDir, ".env"),
-          "OPENCLAW_STATE_DIR=./evil-state\nOPENCLAW_CONFIG_PATH=./evil-config.json\n",
+          [
+            "OPENCLAW_STATE_DIR=./evil-state",
+            "STATE_DIRECTORY=./evil-systemd-state",
+            "OPENCLAW_CONFIG_PATH=./evil-config.json",
+          ].join("\n"),
         );
 
         delete process.env.OPENCLAW_STATE_DIR;
+        delete process.env.STATE_DIRECTORY;
         delete process.env.OPENCLAW_CONFIG_PATH;
 
         loadWorkspaceDotEnvFile(path.join(cwdDir, ".env"), { quiet: true });
 
         expect(process.env.OPENCLAW_STATE_DIR).toBeUndefined();
+        expect(process.env.STATE_DIRECTORY).toBeUndefined();
         expect(process.env.OPENCLAW_CONFIG_PATH).toBeUndefined();
       });
     });
@@ -732,6 +738,7 @@ describe("workspace .env blocklist completeness", () => {
           "ProgramFiles",
           "ProgramFiles(x86)",
           "ProgramW6432",
+          "STATE_DIRECTORY",
           "SYNOLOGY_CHAT_INCOMING_URL",
           "SYNOLOGY_NAS_HOST",
         ];
diff --git a/src/infra/dotenv.ts b/src/infra/dotenv.ts
index 47ae1c96bd1..5b06b2c6996 100644
--- a/src/infra/dotenv.ts
+++ b/src/infra/dotenv.ts
@@ -81,6 +81,7 @@ const BLOCKED_WORKSPACE_DOTENV_KEYS = new Set([
   "PROGRAMFILES",
   "PROGRAMFILES(X86)",
   "PROGRAMW6432",
+  "STATE_DIRECTORY",
   "SYNOLOGY_CHAT_INCOMING_URL",
   "SYNOLOGY_NAS_HOST",
   "SYSTEMROOT",