openclaw/src/config/config.env-vars.test.ts

import fs from "node:fs/promises";
import path from "node:path";
import { describe, expect, it } from "vitest";
import { loadDotEnv } from "../infra/dotenv.js";
import { resolveConfigEnvVars } from "./env-substitution.js";
import {
  applyConfigEnvVars,
  collectDurableServiceEnvVars,
  collectConfigRuntimeEnvVars,
  createConfigRuntimeEnv,
  readStateDirDotEnvVars,
} from "./env-vars.js";
import { withEnvOverride, withTempHome, writeStateDirDotEnv } from "./test-helpers.js";
import type { OpenClawConfig } from "./types.js";

describe("config env vars", () => {
  it("applies env vars from env block when missing", async () => {
    await withEnvOverride({ OPENROUTER_API_KEY: undefined }, async () => {
      applyConfigEnvVars({ env: { vars: { OPENROUTER_API_KEY: "config-key" } } } as OpenClawConfig);
      expect(process.env.OPENROUTER_API_KEY).toBe("config-key");
    });
  });

  it("does not override existing env vars", async () => {
    await withEnvOverride({ OPENROUTER_API_KEY: "existing-key" }, async () => {
      applyConfigEnvVars({ env: { vars: { OPENROUTER_API_KEY: "config-key" } } } as OpenClawConfig);
      expect(process.env.OPENROUTER_API_KEY).toBe("existing-key");
    });
  });

  it("applies env vars from env.vars when missing", async () => {
    await withEnvOverride({ GROQ_API_KEY: undefined }, async () => {
      applyConfigEnvVars({ env: { vars: { GROQ_API_KEY: "gsk-config" } } } as OpenClawConfig);
      expect(process.env.GROQ_API_KEY).toBe("gsk-config");
    });
  });

  it("can build a merged runtime env without mutating process.env", async () => {
    await withEnvOverride({ OPENROUTER_API_KEY: undefined }, async () => {
      const merged = createConfigRuntimeEnv({
        env: { vars: { OPENROUTER_API_KEY: "config-key" } },
      } as OpenClawConfig);
      expect(merged.OPENROUTER_API_KEY).toBe("config-key");
      expect(process.env.OPENROUTER_API_KEY).toBeUndefined();
    });
  });

  it("blocks dangerous startup env vars from config env", async () => {
    await withEnvOverride(
      {
        BASH_ENV: undefined,
        SHELL: undefined,
        HOME: undefined,
        ZDOTDIR: undefined,
        OPENROUTER_API_KEY: undefined,
      },
      async () => {
        const config = {
          env: {
            vars: {
              BASH_ENV: "/tmp/pwn.sh",
              SHELL: "/tmp/evil-shell",
              HOME: "/tmp/evil-home",
              ZDOTDIR: "/tmp/evil-zdotdir",
              OPENROUTER_API_KEY: "config-key",
            },
          },
        };
        const entries = collectConfigRuntimeEnvVars(config as OpenClawConfig);
        expect(entries.BASH_ENV).toBeUndefined();
        expect(entries.SHELL).toBeUndefined();
        expect(entries.HOME).toBeUndefined();
        expect(entries.ZDOTDIR).toBeUndefined();
        expect(entries.OPENROUTER_API_KEY).toBe("config-key");

        applyConfigEnvVars(config as OpenClawConfig);
        expect(process.env.BASH_ENV).toBeUndefined();
        expect(process.env.SHELL).toBeUndefined();
        expect(process.env.HOME).toBeUndefined();
        expect(process.env.ZDOTDIR).toBeUndefined();
        expect(process.env.OPENROUTER_API_KEY).toBe("config-key");
      },
    );
  });

  it("drops non-portable env keys from config env", async () => {
    await withEnvOverride({ OPENROUTER_API_KEY: undefined }, async () => {
      const config = {
        env: {
          vars: {
            " BAD KEY": "oops",
            OPENROUTER_API_KEY: "config-key",
          },
          "NOT-PORTABLE": "bad",
        },
      };
      const entries = collectConfigRuntimeEnvVars(config as OpenClawConfig);
      expect(entries.OPENROUTER_API_KEY).toBe("config-key");
      expect(entries[" BAD KEY"]).toBeUndefined();
      expect(entries["NOT-PORTABLE"]).toBeUndefined();
    });
  });

  it("loads ${VAR} substitutions from ~/.openclaw/.env on repeated runtime loads", async () => {
    await withTempHome(async (_home) => {
      await withEnvOverride({ BRAVE_API_KEY: undefined }, async () => {
        const stateDir = process.env.OPENCLAW_STATE_DIR?.trim();
        if (!stateDir) {
          throw new Error("Expected OPENCLAW_STATE_DIR to be set by withTempHome");
        }
        await fs.mkdir(stateDir, { recursive: true });
        await fs.writeFile(path.join(stateDir, ".env"), "BRAVE_API_KEY=from-dotenv\n", "utf-8");

        const config: OpenClawConfig = {
          tools: {
            web: {
              search: {
                apiKey: "${BRAVE_API_KEY}",
              },
            },
          },
        };

        loadDotEnv({ quiet: true });
        const first = resolveConfigEnvVars(config, process.env) as OpenClawConfig;
        expect(first.tools?.web?.search?.apiKey).toBe("from-dotenv");

        delete process.env.BRAVE_API_KEY;
        loadDotEnv({ quiet: true });
        const second = resolveConfigEnvVars(config, process.env) as OpenClawConfig;
        expect(second.tools?.web?.search?.apiKey).toBe("from-dotenv");
      });
    });
  });

  it("reads key-value pairs from the state-dir .env file", async () => {
    await withTempHome(async (_home) => {
      await writeStateDirDotEnv("BRAVE_API_KEY=BSA-test-key\nDISCORD_BOT_TOKEN=discord-tok\n", {
        env: process.env,
      });
      const vars = readStateDirDotEnvVars(process.env);
      expect(vars.BRAVE_API_KEY).toBe("BSA-test-key");
      expect(vars.DISCORD_BOT_TOKEN).toBe("discord-tok");
    });
  });

  it("returns empty record when the state-dir .env file is missing", async () => {
    await withTempHome(async (_home) => {
      expect(readStateDirDotEnvVars(process.env)).toEqual({});
    });
  });

  it("drops dangerous and empty values from the state-dir .env file", async () => {
    await withTempHome(async (_home) => {
      await writeStateDirDotEnv("NODE_OPTIONS=--require /tmp/evil.js\nEMPTY=\nVALID=ok\n", {
        env: process.env,
      });
      const vars = readStateDirDotEnvVars(process.env);
      expect(vars.NODE_OPTIONS).toBeUndefined();
      expect(vars.EMPTY).toBeUndefined();
      expect(vars.VALID).toBe("ok");
    });
  });

  it("respects OPENCLAW_STATE_DIR when reading state-dir .env vars", async () => {
    await withTempHome(async (_home) => {
      const customStateDir = path.join(process.env.OPENCLAW_STATE_DIR ?? "", "custom-state");
      await writeStateDirDotEnv("CUSTOM_KEY=from-override\n", {
        stateDir: customStateDir,
      });
      expect(
        readStateDirDotEnvVars({
          OPENCLAW_STATE_DIR: customStateDir,
        }).CUSTOM_KEY,
      ).toBe("from-override");
    });
  });

  it("lets config service env vars override state-dir .env vars", async () => {
    await withTempHome(async (_home) => {
      await writeStateDirDotEnv("MY_KEY=from-dotenv\n", {
        env: process.env,
      });
      expect(
        collectDurableServiceEnvVars({
          env: process.env,
          config: {
            env: {
              vars: {
                MY_KEY: "from-config",
              },
            },
          } as OpenClawConfig,
        }).MY_KEY,
      ).toBe("from-config");
    });
  });
});