Filter environment variables in both sandbox modes

Whitelist mode now clears the parent env and re-adds a small allowlist (identity, terminal, locale, proxy, non-GUI XDG, vendor prefixes). Blacklist mode strips cloud credentials, backup passphrases, dangling socket pointers, and anything matching *_TOKEN, *_SECRET, *_PASSWORD, *_PASSPHRASE, *_API_KEY, *_PRIVATE_KEY, *_CLIENT_SECRET; vendor prefix carve-outs keep ANTHROPIC_API_KEY and friends. Users can override via --setenv KEY=VALUE and --unsetenv KEY (and the corresponding TOML keys), or opt out of the built-in policy entirely with --no-env-filter.
2026-04-08 09:22:11 +02:00
parent 12644ae31e
commit 25f0037aab
8 changed files with 638 additions and 5 deletions
--- a/README.md
+++ b/README.md
@@ -16,6 +16,15 @@ The threat model is prompt injection and accidental damage, not a determined att
 **Not protected in blacklist mode:** arbitrary readable files outside the sensitive paths list, and D-Bus method calls (access control is daemon-side).
 ## Environment filtering
 Both modes clamp the environment the child sees so prompt-injected agents can't `printenv` their way to secrets.
 - **Whitelist** clears the parent env and re-adds a small allowlist: identity/shell vars (`HOME`, `PATH`, …), terminal/locale, proxy, non-GUI XDG base dirs, and agent vendor prefixes (`ANTHROPIC_*`, `CLAUDE_*`, `OPENAI_*`, `CODEX_*`, `GEMINI_*`, `OTEL_*`).
 - **Blacklist** keeps the parent env but unsets credentials and dangling pointers: cloud creds (`AWS_*`, `GOOGLE_APPLICATION_CREDENTIALS`, …), backup tool passphrases, sockets stripped by path overlays (`SSH_AUTH_SOCK`, `DISPLAY`, `GNUPGHOME`, …), and anything matching `*_TOKEN`, `*_SECRET`, `*_PASSWORD`, `*_PASSPHRASE`, `*_API_KEY`, `*_PRIVATE_KEY`, `*_CLIENT_SECRET`. Vendor-prefix vars (`ANTHROPIC_API_KEY` etc.) are carved out so they survive.
 Disable the built-in policy entirely with `--no-env-filter` (or `env-filter = false` in the config file) to pass the parent env through unchanged. User `--setenv`/`--unsetenv` escape hatches still apply.
 ## Seccomp
 Both modes apply a seccomp-BPF syscall allowlist derived from Podman's default profile. Dangerous syscalls (`mount`, `unshare`, `ptrace`, `bpf`, `perf_event_open`, `io_uring_*`, `keyctl`, `kexec_*`, …) return `ENOSYS`. Disable with `--no-seccomp` or `seccomp = false` in the config file.
@@ -41,9 +50,11 @@ command = ["claude", "--dangerously-skip-permissions"]
 ## Escape hatches
-When the agent needs access to something the sandbox blocks, use `--rw` or `--ro`:
+When the agent needs access to something the sandbox blocks, use `--rw` or `--ro` for paths and `--setenv`/`--unsetenv` for env vars. User overrides always win over the built-in policies.
 ```bash
 agent-sandbox --rw /var/run/docker.sock -- claude --dangerously-skip-permissions
 agent-sandbox --ro ~/.aws -- claude --dangerously-skip-permissions
 agent-sandbox --setenv DATABASE_URL=postgres://localhost/dev -- claude
 agent-sandbox --unsetenv HTTP_PROXY -- claude
 ```
--- a/config-example.toml
+++ b/config-example.toml
@@ -12,6 +12,8 @@ rw = [
    "~/.cargo",
    "~/.rustup",
 ]
 setenv = { DATABASE_URL = "postgres://localhost/dev" }
 unsetenv = ["HTTP_PROXY", "HTTPS_PROXY"]
 entrypoint = ["claude", "--dangerously-skip-permissions"]
 [profile.blacklist]
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -42,6 +42,14 @@ pub struct Args {
    #[arg(long, overrides_with = "seccomp")]
    pub no_seccomp: bool,
    /// Enable built-in env filtering (on by default; overrides config-file `env-filter = false`)
    #[arg(long, overrides_with = "no_env_filter")]
    pub env_filter: bool,
    /// Disable built-in env filtering; pass the parent env through unchanged
    #[arg(long, overrides_with = "env_filter")]
    pub no_env_filter: bool,
    /// Bind an extra path read-write (repeatable)
    #[arg(long = "rw", value_name = "PATH", action = clap::ArgAction::Append)]
    pub extra_rw: Vec<PathBuf>,
@@ -78,6 +86,19 @@ pub struct Args {
    #[arg(long = "mask", value_name = "PATH", action = clap::ArgAction::Append)]
    pub mask: Vec<PathBuf>,
    /// Force-set an environment variable inside the sandbox (repeatable)
    #[arg(
        long = "setenv",
        value_name = "KEY=VALUE",
        value_parser = parse_key_value,
        action = clap::ArgAction::Append,
    )]
    pub setenv: Vec<(String, String)>,
    /// Force-unset an environment variable inside the sandbox (repeatable)
    #[arg(long = "unsetenv", value_name = "KEY", action = clap::ArgAction::Append)]
    pub unsetenv: Vec<String>,
    /// Pass an arbitrary argument directly to bwrap (repeatable)
    #[arg(long = "bwrap-arg", value_name = "ARG", action = clap::ArgAction::Append)]
    pub bwrap_args: Vec<String>,
@@ -90,3 +111,13 @@ pub struct Args {
    #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
    pub command_and_args: Vec<OsString>,
 }
 fn parse_key_value(raw: &str) -> Result<(String, String), String> {
    let (key, value) = raw
        .split_once('=')
        .ok_or_else(|| format!("expected KEY=VALUE, got {raw:?}"))?;
    if key.is_empty() {
        return Err(format!("empty key in {raw:?}"));
    }
    Ok((key.to_string(), value.to_string()))
 }
--- a/src/config.rs
+++ b/src/config.rs
@@ -1,4 +1,4 @@
-use std::collections::HashMap;
+use std::collections::{BTreeMap, HashMap};
 use std::ffi::OsString;
 use std::path::{Path, PathBuf};
@@ -44,6 +44,12 @@ pub fn build(args: Args, file_config: Option<FileConfig>) -> Result<SandboxConfi
            globals.seccomp,
            true,
        ),
        env_filter: merge_flag_with_default(
            merge_flag_pair(args.env_filter, args.no_env_filter),
            profile.env_filter,
            globals.env_filter,
            true,
        ),
        dry_run: merge_flag(
            merge_flag_pair(args.dry_run, args.no_dry_run),
            profile.dry_run,
@@ -53,6 +59,8 @@ pub fn build(args: Args, file_config: Option<FileConfig>) -> Result<SandboxConfi
        extra_rw: merge_paths(args.extra_rw, &profile.rw, &globals.rw)?,
        extra_ro: merge_paths(args.extra_ro, &profile.ro, &globals.ro)?,
        mask: merge_vecs(args.mask, &profile.mask, &globals.mask),
        setenv: merge_setenv(args.setenv, &profile.setenv, &globals.setenv),
        unsetenv: merge_vecs(args.unsetenv, &profile.unsetenv, &globals.unsetenv),
        bwrap_args: split_bwrap_args(merge_vecs(
            args.bwrap_args,
            &profile.bwrap_args,
@@ -158,6 +166,21 @@ fn merge_vecs<T: Clone>(cli: Vec<T>, profile: &[T], globals: &[T]) -> Vec<T> {
    globals.iter().chain(profile).cloned().chain(cli).collect()
 }
 fn merge_setenv(
    cli: Vec<(String, String)>,
    profile: &BTreeMap<String, String>,
    globals: &BTreeMap<String, String>,
 ) -> Vec<(String, String)> {
    let mut merged: BTreeMap<String, String> = globals.clone();
    for (k, v) in profile {
        merged.insert(k.clone(), v.clone());
    }
    for (k, v) in cli {
        merged.insert(k, v);
    }
    merged.into_iter().collect()
 }
 fn resolve_command(
    cli_entrypoint: Option<String>,
    mut passthrough_args: Vec<OsString>,
@@ -260,6 +283,7 @@ pub struct Options {
    pub hardened: Option<bool>,
    pub unshare_net: Option<bool>,
    pub seccomp: Option<bool>,
    pub env_filter: Option<bool>,
    pub entrypoint: Option<CommandValue>,
    pub command: Option<CommandValue>,
    pub dry_run: Option<bool>,
@@ -271,6 +295,10 @@ pub struct Options {
    #[serde(default)]
    pub mask: Vec<PathBuf>,
    #[serde(default)]
    pub setenv: BTreeMap<String, String>,
    #[serde(default)]
    pub unsetenv: Vec<String>,
    #[serde(default)]
    pub bwrap_args: Vec<String>,
 }
@@ -908,6 +936,70 @@ mod tests {
        assert_eq!(config.chdir, std::fs::canonicalize("/tmp").unwrap());
    }
    #[test]
    fn build_setenv_merges_globals_profile_cli() {
        let file_config = FileConfig {
            options: Options {
                setenv: BTreeMap::from([
                    ("A".into(), "global".into()),
                    ("B".into(), "global".into()),
                ]),
                ..Options::default()
            },
            profile: HashMap::from([(
                "p".into(),
                Options {
                    setenv: BTreeMap::from([
                        ("B".into(), "profile".into()),
                        ("C".into(), "profile".into()),
                    ]),
                    ..Options::default()
                },
            )]),
            ..FileConfig::default()
        };
        let args = Args {
            profile: Some("p".into()),
            setenv: vec![("C".into(), "cli".into()), ("D".into(), "cli".into())],
            ..args_with_command()
        };
        let config = build(args, Some(file_config)).unwrap();
        assert_eq!(
            config.setenv,
            vec![
                ("A".into(), "global".into()),
                ("B".into(), "profile".into()),
                ("C".into(), "cli".into()),
                ("D".into(), "cli".into()),
            ]
        );
    }
    #[test]
    fn build_unsetenv_accumulates() {
        let file_config = FileConfig {
            options: Options {
                unsetenv: vec!["G".into()],
                ..Options::default()
            },
            profile: HashMap::from([(
                "p".into(),
                Options {
                    unsetenv: vec!["P".into()],
                    ..Options::default()
                },
            )]),
            ..FileConfig::default()
        };
        let args = Args {
            profile: Some("p".into()),
            unsetenv: vec!["C".into()],
            ..args_with_command()
        };
        let config = build(args, Some(file_config)).unwrap();
        assert_eq!(config.unsetenv, vec!["G", "P", "C"]);
    }
    #[test]
    fn build_mask_accumulates() {
        let file_config = FileConfig {
--- a/src/env.rs
+++ b/src/env.rs
@@ -0,0 +1,136 @@
 pub fn whitelist_env_args(parent_env: &[(String, String)]) -> Vec<String> {
    let mut args = vec!["--clearenv".to_string()];
    for (key, value) in parent_env {
        if whitelist_keeps(key) {
            args.push("--setenv".to_string());
            args.push(key.clone());
            args.push(value.clone());
        }
    }
    args
 }
 fn whitelist_keeps(key: &str) -> bool {
    WHITELIST_KEEP_EXACT.contains(&key)
        || WHITELIST_KEEP_PREFIXES
            .iter()
            .any(|prefix| key.starts_with(prefix))
 }
 const WHITELIST_KEEP_EXACT: &[&str] = &[
    // identity / shell
    "HOME",
    "USER",
    "LOGNAME",
    "PATH",
    "SHELL",
    // terminal
    "TERM",
    "COLORTERM",
    "NO_COLOR",
    "FORCE_COLOR",
    "CLICOLOR",
    // locale
    "LANG",
    "TZ",
    // editor
    "EDITOR",
    "VISUAL",
    "PAGER",
    // tmp
    "TMPDIR",
    // proxy
    "HTTP_PROXY",
    "HTTPS_PROXY",
    "NO_PROXY",
    "ALL_PROXY",
    "http_proxy",
    "https_proxy",
    "no_proxy",
    "all_proxy",
    // non-GUI XDG base dirs
    "XDG_CONFIG_HOME",
    "XDG_DATA_HOME",
    "XDG_CACHE_HOME",
    "XDG_STATE_HOME",
    "XDG_CONFIG_DIRS",
    "XDG_DATA_DIRS",
 ];
 const WHITELIST_KEEP_PREFIXES: &[&str] = &[
    "LC_",
    "ANTHROPIC_",
    "CLAUDE_",
    "CLAUDECODE",
    "OPENAI_",
    "CODEX_",
    "GEMINI_",
    "OTEL_",
 ];
 pub fn blacklist_env_args(parent_env: &[(String, String)]) -> Vec<String> {
    let mut args = Vec::new();
    for (key, _) in parent_env {
        if blacklist_drops(key) {
            args.push("--unsetenv".to_string());
            args.push(key.clone());
        }
    }
    args
 }
 fn blacklist_drops(key: &str) -> bool {
    if BLACKLIST_KEEP_PREFIXES
        .iter()
        .any(|prefix| key.starts_with(prefix))
    {
        return false;
    }
    if BLACKLIST_DROP_EXACT.contains(&key) {
        return true;
    }
    BLACKLIST_DROP_SUFFIXES
        .iter()
        .any(|suffix| key.ends_with(suffix))
 }
 const BLACKLIST_KEEP_PREFIXES: &[&str] = &["ANTHROPIC_", "CLAUDE_", "OPENAI_", "CODEX_", "GEMINI_"];
 const BLACKLIST_DROP_EXACT: &[&str] = &[
    // dangling sockets after path overlays
    "DISPLAY",
    "WAYLAND_DISPLAY",
    "XAUTHORITY",
    "ICEAUTHORITY",
    "SESSION_MANAGER",
    "SSH_AUTH_SOCK",
    "SSH_AGENT_PID",
    "GPG_AGENT_INFO",
    "GPG_TTY",
    "GNUPGHOME",
    // cloud creds (don't fit suffix patterns)
    "AWS_ACCESS_KEY_ID",
    "AWS_SECRET_ACCESS_KEY",
    "AWS_SESSION_TOKEN",
    "AWS_SECURITY_TOKEN",
    "AWS_PROFILE",
    "GOOGLE_APPLICATION_CREDENTIALS",
    "AZURE_CLIENT_ID",
    "AZURE_TENANT_ID",
    // backups
    "RESTIC_PASSWORD_COMMAND",
    "RESTIC_PASSWORD_FILE",
    "RESTIC_KEY_HINT",
    "BORG_PASSPHRASE",
    "BORG_PASSCOMMAND",
 ];
 const BLACKLIST_DROP_SUFFIXES: &[&str] = &[
    "_TOKEN",
    "_SECRET",
    "_PASSWORD",
    "_PASSPHRASE",
    "_API_KEY",
    "_PRIVATE_KEY",
    "_CLIENT_SECRET",
 ];
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -2,6 +2,7 @@ mod agents;
 mod blacklist;
 pub mod cli;
 pub mod config;
 mod env;
 mod errors;
 mod preflight;
 mod sandbox;
@@ -9,7 +10,6 @@ mod seccomp;
 pub use errors::SandboxError;
 use std::env;
 use std::ffi::OsString;
 use std::fs;
 use std::os::unix::process::CommandExt;
@@ -25,9 +25,12 @@ pub struct SandboxConfig {
    pub hardened: bool,
    pub unshare_net: bool,
    pub seccomp: bool,
    pub env_filter: bool,
    pub extra_rw: Vec<PathBuf>,
    pub extra_ro: Vec<PathBuf>,
    pub mask: Vec<PathBuf>,
    pub setenv: Vec<(String, String)>,
    pub unsetenv: Vec<String>,
    pub bwrap_args: Vec<String>,
    pub command: PathBuf,
    pub command_args: Vec<OsString>,
@@ -36,14 +39,14 @@ pub struct SandboxConfig {
 }
 pub fn require_home() -> Result<String, SandboxError> {
-    env::var("HOME")
+    std::env::var("HOME")
        .ok()
        .filter(|h| !h.is_empty())
        .ok_or(SandboxError::HomeNotSet)
 }
 pub fn require_run_user() -> Result<String, SandboxError> {
-    env::var("XDG_RUNTIME_DIR")
+    std::env::var("XDG_RUNTIME_DIR")
        .ok()
        .or_else(resolve_run_user_from_proc)
        .ok_or(SandboxError::RunUserNotFound)
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -3,6 +3,7 @@ use std::process::Command;
 use crate::agents;
 use crate::blacklist;
 use crate::env;
 use crate::seccomp;
 use crate::{SandboxConfig, SandboxError, SandboxMode};
@@ -35,6 +36,9 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
        add_ro_bind(&mut cmd, path)?;
    }
    add_env_policy(&mut cmd, config);
    add_user_env_overrides(&mut cmd, config);
    cmd.args(["--remount-ro", "/"]);
    cmd.arg("--new-session");
    cmd.arg("--die-with-parent");
@@ -55,6 +59,27 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
    Ok(cmd)
 }
 fn add_env_policy(cmd: &mut Command, config: &SandboxConfig) {
    if !config.env_filter {
        return;
    }
    let parent_env: Vec<(String, String)> = std::env::vars().collect();
    let args = match config.mode {
        SandboxMode::Blacklist => env::blacklist_env_args(&parent_env),
        SandboxMode::Whitelist => env::whitelist_env_args(&parent_env),
    };
    cmd.args(args);
 }
 fn add_user_env_overrides(cmd: &mut Command, config: &SandboxConfig) {
    for (key, value) in &config.setenv {
        cmd.arg("--setenv").arg(key).arg(value);
    }
    for key in &config.unsetenv {
        cmd.arg("--unsetenv").arg(key);
    }
 }
 fn apply_masks(cmd: &mut Command, masks: &[PathBuf]) {
    for path in masks {
        if path.is_file() {
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -949,6 +949,339 @@ fn seccomp_normal_workload_succeeds() {
    );
 }
 fn printenv_inside(args: &[&str], vars: &[(&str, &str)], query: &[&str]) -> String {
    let script = query
        .iter()
        .map(|v| format!("printenv {v} || echo MISSING:{v}"))
        .collect::<Vec<_>>()
        .join("; ");
    let mut cmd = sandbox(args);
    for (k, v) in vars {
        cmd.env(k, v);
    }
    let output = cmd
        .args(["--", "bash", "-c", &script])
        .output()
        .expect("agent-sandbox binary failed to execute");
    String::from_utf8_lossy(&output.stdout).into_owned()
 }
 #[test]
 fn whitelist_keeps_identity_and_terminal_vars() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[("TERM", "xterm-test"), ("LANG", "C.UTF-8")],
        &["HOME", "PATH", "TERM", "LANG"],
    );
    assert!(!stdout.contains("MISSING:HOME"), "HOME stripped: {stdout}");
    assert!(!stdout.contains("MISSING:PATH"), "PATH stripped: {stdout}");
    assert!(stdout.contains("xterm-test"), "TERM stripped: {stdout}");
    assert!(stdout.contains("C.UTF-8"), "LANG stripped: {stdout}");
 }
 #[test]
 fn whitelist_strips_arbitrary_host_var() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[("SOME_RANDOM_NOISE_VAR", "leak")],
        &["SOME_RANDOM_NOISE_VAR"],
    );
    assert!(
        stdout.contains("MISSING:SOME_RANDOM_NOISE_VAR"),
        "expected arbitrary host var to be stripped, got: {stdout}"
    );
    assert!(!stdout.contains("leak"));
 }
 #[test]
 fn whitelist_keeps_vendor_prefixes() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[
            ("CLAUDE_FOO", "claude-val"),
            ("ANTHROPIC_MODEL", "anthropic-val"),
            ("OPENAI_API_KEY", "openai-val"),
            ("CODEX_FOO", "codex-val"),
            ("GEMINI_API_KEY", "gemini-val"),
            ("OTEL_SERVICE_NAME", "otel-val"),
        ],
        &[
            "CLAUDE_FOO",
            "ANTHROPIC_MODEL",
            "OPENAI_API_KEY",
            "CODEX_FOO",
            "GEMINI_API_KEY",
            "OTEL_SERVICE_NAME",
        ],
    );
    for expected in [
        "claude-val",
        "anthropic-val",
        "openai-val",
        "codex-val",
        "gemini-val",
        "otel-val",
    ] {
        assert!(
            stdout.contains(expected),
            "expected {expected} in output, got: {stdout}"
        );
    }
    assert!(!stdout.contains("MISSING:"), "unexpected strip: {stdout}");
 }
 #[test]
 fn whitelist_keeps_lc_prefix() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[("LC_TIME", "en_US.UTF-8")],
        &["LC_TIME"],
    );
    assert!(stdout.contains("en_US.UTF-8"), "LC_TIME missing: {stdout}");
 }
 #[test]
 fn whitelist_keeps_non_gui_xdg_vars() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[
            ("XDG_CONFIG_HOME", "/cfg"),
            ("XDG_DATA_HOME", "/data"),
            ("XDG_CACHE_HOME", "/cache"),
            ("XDG_STATE_HOME", "/state"),
            ("XDG_CONFIG_DIRS", "/etc/xdg"),
            ("XDG_DATA_DIRS", "/usr/share"),
        ],
        &[
            "XDG_CONFIG_HOME",
            "XDG_DATA_HOME",
            "XDG_CACHE_HOME",
            "XDG_STATE_HOME",
            "XDG_CONFIG_DIRS",
            "XDG_DATA_DIRS",
        ],
    );
    assert!(
        !stdout.contains("MISSING:"),
        "XDG non-GUI stripped: {stdout}"
    );
 }
 #[test]
 fn whitelist_strips_gui_xdg_vars() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[
            ("XDG_RUNTIME_DIR", "/run/user/1000"),
            ("XDG_SESSION_ID", "1"),
            ("XDG_CURRENT_DESKTOP", "KDE"),
            ("XDG_SEAT", "seat0"),
        ],
        &[
            "XDG_RUNTIME_DIR",
            "XDG_SESSION_ID",
            "XDG_CURRENT_DESKTOP",
            "XDG_SEAT",
        ],
    );
    for var in [
        "XDG_RUNTIME_DIR",
        "XDG_SESSION_ID",
        "XDG_CURRENT_DESKTOP",
        "XDG_SEAT",
    ] {
        assert!(
            stdout.contains(&format!("MISSING:{var}")),
            "expected {var} stripped, got: {stdout}"
        );
    }
 }
 #[test]
 fn whitelist_strips_dbus_vars() {
    let stdout = printenv_inside(
        &["--whitelist"],
        &[
            ("DBUS_SESSION_BUS_ADDRESS", "unix:path=/foo"),
            ("DBUS_SYSTEM_BUS_ADDRESS", "unix:path=/bar"),
        ],
        &["DBUS_SESSION_BUS_ADDRESS", "DBUS_SYSTEM_BUS_ADDRESS"],
    );
    assert!(
        stdout.contains("MISSING:DBUS_SESSION_BUS_ADDRESS"),
        "expected DBUS_SESSION stripped: {stdout}"
    );
    assert!(
        stdout.contains("MISSING:DBUS_SYSTEM_BUS_ADDRESS"),
        "expected DBUS_SYSTEM stripped: {stdout}"
    );
 }
 #[test]
 fn whitelist_setenv_injects_user_var() {
    let stdout = printenv_inside(
        &["--whitelist", "--setenv", "USER_INJECTED=forced"],
        &[],
        &["USER_INJECTED"],
    );
    assert!(stdout.contains("forced"), "setenv not applied: {stdout}");
 }
 #[test]
 fn whitelist_unsetenv_overrides_kept_var() {
    let stdout = printenv_inside(
        &["--whitelist", "--unsetenv", "TERM"],
        &[("TERM", "xterm-test")],
        &["TERM"],
    );
    assert!(
        stdout.contains("MISSING:TERM"),
        "expected --unsetenv to strip kept var: {stdout}"
    );
 }
 #[test]
 fn blacklist_drops_token_and_secret_vars() {
    let stdout = printenv_inside(
        &[],
        &[
            ("GH_TOKEN", "gh-secret"),
            ("AWS_SECRET_ACCESS_KEY", "aws-secret"),
            ("MY_PASSWORD", "pw"),
            ("FOO_API_KEY", "fookey"),
        ],
        &[
            "GH_TOKEN",
            "AWS_SECRET_ACCESS_KEY",
            "MY_PASSWORD",
            "FOO_API_KEY",
        ],
    );
    for var in [
        "GH_TOKEN",
        "AWS_SECRET_ACCESS_KEY",
        "MY_PASSWORD",
        "FOO_API_KEY",
    ] {
        assert!(
            stdout.contains(&format!("MISSING:{var}")),
            "expected {var} stripped in blacklist mode, got: {stdout}"
        );
    }
    for leaked in ["gh-secret", "aws-secret", "pw", "fookey"] {
        assert!(!stdout.contains(leaked), "{leaked} leaked: {stdout}");
    }
 }
 #[test]
 fn blacklist_carves_out_vendor_api_keys() {
    let stdout = printenv_inside(
        &[],
        &[
            ("ANTHROPIC_API_KEY", "anthropic-key"),
            ("OPENAI_API_KEY", "openai-key"),
            ("GEMINI_API_KEY", "gemini-key"),
        ],
        &["ANTHROPIC_API_KEY", "OPENAI_API_KEY", "GEMINI_API_KEY"],
    );
    for expected in ["anthropic-key", "openai-key", "gemini-key"] {
        assert!(
            stdout.contains(expected),
            "expected {expected} to survive carve-out, got: {stdout}"
        );
    }
    assert!(!stdout.contains("MISSING:"), "carve-out failed: {stdout}");
 }
 #[test]
 fn blacklist_suffix_match_does_not_catch_substring() {
    let stdout = printenv_inside(
        &[],
        &[
            ("TOKENIZER_PATH", "/opt/tok"),
            ("MY_TOKEN_HOLDER", "holder"),
        ],
        &["TOKENIZER_PATH", "MY_TOKEN_HOLDER"],
    );
    assert!(
        stdout.contains("/opt/tok"),
        "TOKENIZER_PATH stripped: {stdout}"
    );
    assert!(
        stdout.contains("holder"),
        "MY_TOKEN_HOLDER stripped: {stdout}"
    );
 }
 #[test]
 fn blacklist_keeps_unrelated_host_var() {
    let stdout = printenv_inside(&[], &[("MY_NICE_VAR", "hello")], &["MY_NICE_VAR"]);
    assert!(stdout.contains("hello"), "MY_NICE_VAR stripped: {stdout}");
 }
 #[test]
 fn blacklist_keeps_dbus_vars() {
    let stdout = printenv_inside(
        &[],
        &[
            ("DBUS_SESSION_BUS_ADDRESS", "unix:path=/tmp/fake"),
            ("DBUS_SYSTEM_BUS_ADDRESS", "unix:path=/tmp/fake-system"),
        ],
        &["DBUS_SESSION_BUS_ADDRESS", "DBUS_SYSTEM_BUS_ADDRESS"],
    );
    assert!(stdout.contains("unix:path=/tmp/fake"));
    assert!(stdout.contains("unix:path=/tmp/fake-system"));
 }
 #[test]
 fn no_env_filter_whitelist_keeps_arbitrary_host_var() {
    let stdout = printenv_inside(
        &["--whitelist", "--no-env-filter"],
        &[("SOME_RANDOM_NOISE_VAR", "kept")],
        &["SOME_RANDOM_NOISE_VAR"],
    );
    assert!(
        stdout.contains("kept"),
        "expected --no-env-filter to pass host var through, got: {stdout}"
    );
 }
 #[test]
 fn no_env_filter_blacklist_keeps_secrets() {
    let stdout = printenv_inside(&["--no-env-filter"], &[("GH_TOKEN", "kept")], &["GH_TOKEN"]);
    assert!(
        stdout.contains("kept"),
        "expected --no-env-filter to pass secrets through, got: {stdout}"
    );
 }
 #[test]
 fn no_env_filter_still_honors_user_setenv() {
    let stdout = printenv_inside(
        &["--no-env-filter", "--setenv", "FORCED=yes"],
        &[],
        &["FORCED"],
    );
    assert!(
        stdout.contains("yes"),
        "expected user --setenv to still work with --no-env-filter, got: {stdout}"
    );
 }
 #[test]
 fn blacklist_setenv_overrides_builtin_deny() {
    let stdout = printenv_inside(
        &["--setenv", "GH_TOKEN=overridden"],
        &[("GH_TOKEN", "original")],
        &["GH_TOKEN"],
    );
    assert!(
        stdout.contains("overridden"),
        "expected --setenv to override deny, got: {stdout}"
    );
    assert!(!stdout.contains("original"));
 }
 #[test]
 fn seccomp_bash_pthread_fallback_works() {
    // Verifies the ENOSYS-not-EPERM choice for clone3 doesn't break libc's