fix service env placeholder collection

[sallyom]

Summary

Refs #90277.

This fixes the managed gateway service env plan when config contains an unresolved env placeholder such as ${MINIMAX_API_KEY} and the real value lives in $OPENCLAW_STATE_DIR/.env.

The change skips unresolved ${VAR} references while collecting config env vars for runtime/service env. Concrete config env values still work, but placeholder values no longer mask the state-dir .env value during service env planning.

Impact

• No config schema changes.
• No MiniMax-specific allowlist or provider special case.
• Existing concrete config.env values keep working, including values produced by config placeholder resolution.
• Env-backed SecretRefs can still resolve from the managed service environment after install/restart.
• Security behavior is slightly tighter because literal unresolved placeholders are not staged as credential-like env values.

Verification

• git fetch origin main
• git rebase origin/main
• git diff --check origin/main
• node scripts/run-vitest.mjs src/config/config.env-vars.test.ts src/commands/daemon-install-helpers.test.ts
• node scripts/run-vitest.mjs src/config/config.env-vars.test.ts
• Blacksmith Testbox tbx_01ktanqfm49ss6avf85qmqaw20: corepack pnpm check:test-types

Real Behavior Proof

Behavior addressed: gateway install service-env planning preserves a concrete MINIMAX_API_KEY from $OPENCLAW_STATE_DIR/.env when config also contains an unresolved self-reference ${MINIMAX_API_KEY}.

Real environment tested: Blacksmith Testbox tbx_01ktakr7a43sym9k546pn17y5n, Linux Node 24.13.0, synced PR checkout for the original proof run. The current amended PR head is 3dfb9b3d06750047294e6682da9dc1fe117edcb9; later amendments only made the MiniMax provider test fixture type-complete and added top-level unresolved plus resolved config env placeholder regression coverage. The fixture type fix was verified separately with check:test-types on Testbox tbx_01ktanqfm49ss6avf85qmqaw20; the config env collector tests were verified with node scripts/run-vitest.mjs src/config/config.env-vars.test.ts.

Exact steps or command run after this patch: On Testbox, created a temp state dir with .env containing a fake MINIMAX_API_KEY, built a config with both env.vars.MINIMAX_API_KEY: "${MINIMAX_API_KEY}" and models.providers["minimax-openai"].apiKey as an env SecretRef, then called the actual buildGatewayInstallPlan managed service env path with platform: "darwin". The command used wrapperPath: process.execPath to bypass package CLI-entrypoint resolution in the synced source checkout; it did not bypass service-env collection or render-policy logic.

Evidence after fix:

{
  "behaviorAddressed": "gateway install plan preserves state-dir .env MINIMAX_API_KEY when config env contains unresolved self-reference",
  "realEnvironmentTested": "Blacksmith Testbox tbx_01ktakr7a43sym9k546pn17y5n using isolated OPENCLAW_STATE_DIR and actual buildGatewayInstallPlan managed service env path",
  "stateDotEnvValuePreserved": true,
  "exportedKey": "MINIMAX_API_KEY",
  "managedKeys": "MINIMAX_API_KEY",
  "platformPlanned": "darwin",
  "launcherResolutionBypassedWithWrapperPath": true,
  "secretValuePrinted": false
}

Observed result after fix: The install plan exported MINIMAX_API_KEY from state-dir .env and kept OPENCLAW_SERVICE_MANAGED_ENV_KEYS=MINIMAX_API_KEY; the unresolved config placeholder did not mask the concrete .env value.

What was not tested: No live macOS LaunchAgent or Linux systemd service was installed, restarted, or inspected; no real MiniMax credential or provider call was used.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 9:52 PM ET / 01:52 UTC.

Summary
The PR filters unresolved ${VAR} placeholder values out of config env collection for runtime/service env planning and adds config plus gateway install-plan regression tests.

PR surface: Source +6, Tests +118. Total +124 across 3 files.

Reproducibility: yes. from source inspection, though this read-only review did not execute the repro. Current main lets an unresolved config env placeholder enter durable service env planning and replace the state-dir .env source before macOS inline rendering.

Review metrics: 1 noteworthy metric.

• Config env semantics: 2 existing config env forms now skip unresolved placeholders. Both env.vars and top-level string env keys change behavior for unresolved ${VAR} values, which is the compatibility decision maintainers need to notice before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Have a maintainer explicitly accept or revise the compatibility policy for literal unescaped ${VAR} config env values before merge.

Risk before merge

• [P1] Existing configs that intentionally rely on literal unescaped ${VAR} strings in config env values will stop passing those literals through config env collection; that edge case needs explicit maintainer acceptance.
• [P1] The real proof exercises the actual install-plan path on Testbox with platform: "darwin", but it does not install and restart a live macOS LaunchAgent or call a real MiniMax provider.

Maintainer options:

1. Accept placeholder filtering policy (recommended)
   Merge after a maintainer confirms that literal unescaped ${VAR} config-env values are unsupported or risky enough to drop from runtime/service env collection.
2. Narrow the behavior to service env
   If preserving direct config-runtime collector semantics matters, move the unresolved-placeholder skip to the service-env collection path and keep the same regression coverage.

Next step before merge

• No automated repair is indicated because no blocking patch defect was found; the remaining action is maintainer review of the compatibility-sensitive config-env policy and protected maintainer-labeled PR.

Security
Cleared: The diff adds no dependency, workflow, install-script, or permission changes; the credential-sensitive code change filters unresolved placeholders rather than exposing new secret material.

Review details

Best possible solution:

Land the narrow collector fix after maintainer acceptance that unresolved placeholder-shaped config env values are not supported runtime/service env candidates, then use the merged fix as the implementation path for the linked gateway service-env issue.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection, though this read-only review did not execute the repro. Current main lets an unresolved config env placeholder enter durable service env planning and replace the state-dir .env source before macOS inline rendering.

Is this the best way to solve the issue?

Yes, with a maintainer policy caveat. Filtering unresolved placeholders at the config-env collection boundary is narrower and more generic than a MiniMax allowlist or macOS-only render special case, while tests preserve concrete and resolved config env values.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6868cde4d45f.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix Testbox live-output proof for the actual install-plan service-env path preserving the state-dir .env value despite an unresolved config self-reference.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR targets a linked managed gateway service-env failure that can leave an affected LaunchAgent gateway in a crash loop with missing provider credentials.
• merge-risk: 🚨 compatibility: The diff changes existing config env collection semantics for unresolved placeholder-shaped values rather than only adding a new isolated path.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix Testbox live-output proof for the actual install-plan service-env path preserving the state-dir .env value despite an unresolved config self-reference.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix Testbox live-output proof for the actual install-plan service-env path preserving the state-dir .env value despite an unresolved config self-reference.

Evidence reviewed

PR surface:

Source +6, Tests +118. Total +124 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	6	0	+6
Tests	2	118	0	+118
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	124	0	+124

What I checked:

• Repository policy applied: Root AGENTS.md was read fully; its config/env compatibility, proof, protected-label, and review-depth rules affect this PR review. (AGENTS.md:1, 6868cde4d45f)
• PR diff scope: The PR adds placeholder filtering in both config env collection branches and adds regression coverage for unresolved env.vars, top-level env placeholders, resolved placeholders, and macOS LaunchAgent env SecretRef planning. (src/config/config-env-vars.ts:31, 3dfb9b3d0675)
• Current main source behavior: Current main collects nonempty config env strings without checking unresolved placeholders, and durable service env composition lets config env override state-dir .env values. (src/config/state-dir-dotenv.ts:126, 6868cde4d45f)
• Failure path from source: Gateway install planning adds state-dotenv entries before config-env entries, then macOS render policy only re-inlines a managed value when the final normalized entry source is state-dotenv, so an unresolved config placeholder can mask a concrete state-dir .env value. (src/commands/daemon-install-helpers.ts:529, 6868cde4d45f)
• User-facing contract context: Docs tell managed-service users to provide env SecretRef values from the shell or ~/.openclaw/.env, and secrets docs say active SecretRefs fail fast when unresolved. Public docs: docs/channels/discord.md. (docs/channels/discord.md:117, 6868cde4d45f)
• Real behavior proof in PR body: The PR body reports Blacksmith Testbox proof on head 3dfb9b3 where buildGatewayInstallPlan preserved MINIMAX_API_KEY from a state-dir .env despite an unresolved config self-reference; it also lists focused vitest and Testbox type-check verification. (3dfb9b3d0675)

Likely related people:

• sallyom: Prior merged SecretRef provider integration work touched the daemon install helper and included service-env handling before this PR, so the author also has current-main history in the affected area. (role: recent feature contributor; confidence: high; commits: 6037a7466079; files: src/commands/daemon-install-helpers.ts, src/config/types.secrets.ts)
• steipete: Recent commits and API history show repeated work on config/env helpers, daemon install helpers, and service-env render policy around the affected paths. (role: recent area contributor; confidence: high; commits: 54fe5dc8429b, 4eb3d1fae941, 2b01bcf6c805; files: src/config/config-env-vars.ts, src/commands/daemon-install-helpers.ts, src/daemon/service-env-render-policy.ts)
• joshavant: History for the prior SecretRef provider integration commit lists joshavant as co-author, and the affected behavior crosses SecretRef service-env planning. (role: adjacent SecretRef owner; confidence: medium; commits: 6037a7466079; files: src/commands/daemon-install-helpers.ts, src/config/types.secrets.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[sallyom]

wrt the [P1]: changes existing config env semantics: unescaped ${VAR} strings in env.vars or top-level config env keys stop being collected for runtime/service environments.

• Yes, this intentionally stops unresolved ${VAR} strings from being collected as runtime/service env values.
• The expected supported forms are a concrete value in config env, a resolved ${VAR} substitution, or a real value in $OPENCLAW_STATE_DIR/.env.
• The only known break is users intentionally passing literal placeholder-shaped strings through config env, which is unlikely and risky for auth envs.

[P1] Cover the resolved config placeholder path — src/config/config-env-vars.ts:34-36: added regression test

I'm willing to accept the small risk of breaking behavior, agent discussion:

What it can break is narrow: configs intentionally using a literal unescaped placeholder-shaped value like ${FOO} as
the env value itself. That value will no longer be collected into runtime/service env. Concrete config values still work, 
resolved ${FOO} substitutions still work, and state-dir .env values still work.

Given this surface is credential/service-env handling, I think filtering unresolved placeholders is the safer behavior: it 
prevents a literal ${MINIMAX_API_KEY} from masking the real durable secret and avoids staging placeholder strings as credential-like env values. Tests now cover unresolved env.vars, unresolved top-level env keys, resolved 
placeholders, and the service install-plan path. CI and Testbox proof are green/sufficient.