Bug: resolveConfigValue corrupts literal API keys on Windows

[robert1826]

What happened?

resolveConfigValue("public") returns "C:\Users\Public" on Windows instead of the literal string "public".

On Windows, process.env is case-insensitive. The function does process.env["public"] which matches the PUBLIC env var (C:\Users\Public). This corrupts any literal API key that happens to match a Windows env var name.

This breaks opencode free models -- the Zen proxy expects the literal "public" sentinel but receives "C:\Users\Public" and returns 401.

Steps to reproduce

1. Don't set OPENCODE_API_KEY env var
2. Put {"opencode": {"type": "api_key", "key": "public"}} in ~/.pi/agent/auth.json
3. Run pi --model opencode/mimo-v2.5-free -p "hi"
4. Get 401 Invalid API key

The --api-key public flag works because it bypasses resolveConfigValue via runtime overrides.

Expected behavior

Literal API keys in auth.json should be returned as-is, not resolved as env var names. "public" should return "public", not "C:\Users\Public".

Root cause

resolveConfigValue treats all non-!-prefixed strings as potential env var names:

const envValue = process.env[config];  // case-insensitive on Windows!
return envValue || config;

On Windows, process.env["public"] returns "C:\Users\Public" (the PUBLIC env var), so the literal string is never returned.

[github-actions]

This issue was auto-closed. All issues from new contributors are auto-closed by default.

Maintainers review auto-closed issues daily and reopen worthwhile ones. Issues that do not meet the quality bar in CONTRIBUTING.md will not be reopened or receive a reply.

If a maintainer replies lgtmi on one of your issues, your future issues will stay open. If a maintainer replies lgtm, your future issues and PRs will stay open.

See CONTRIBUTING.md.

[mitsuhiko]

Implemented the config-value change for this.

Summary:

• Plain strings are treated as literals, so public is no longer resolved through Windows PUBLIC.
• Env refs now require $ENV_VAR or ${ENV_VAR} and also work inside strings like ${FOO}_${BAR}.
• $$ escapes $, and $! escapes a literal leading ! without triggering command execution.
• Existing uppercase config-file values are migrated to explicit $ENV_VAR syntax with a detailed warning showing each migrated key.
• registerProvider() keeps legacy uppercase env-name behavior temporarily, warns, and rewrites internally to $ENV_VAR.

This comment is AI-generated by /wr