chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it) - Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak) - Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup) - Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s - Q9: disabled failing syncoid-donatello timer on Z Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 07:54:57 +10:00
parent 1e1d0c539d
commit 925cb0d7d6
12 changed files with 150 additions and 11 deletions
--- a/lib/ai/claude_cli.js
+++ b/lib/ai/claude_cli.js
@@ -47,6 +47,35 @@
 import { spawn } from 'child_process';
 import { createInterface } from 'readline';

+// Benign, non-secret vars the `claude` CLI legitimately needs in its child env.
+// HOME is added separately (subscription creds live at ~/.claude). Everything
+// else — OWNER_TOKEN, DATABASE_URL, KARAKEEP_*, ANTHROPIC_* — is intentionally
+// excluded. The companion MCP server gets DATABASE_URL/OLLAMA_URL via its own
+// explicit --mcp-config env (see companion.js), so it does NOT rely on these.
+const ENV_ALLOW = [
+  'PATH', 'LANG', 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', 'USER', 'LOGNAME', 'SHELL',
+  'TERM', 'TMPDIR', 'XDG_RUNTIME_DIR', 'XDG_CONFIG_HOME', 'XDG_CACHE_HOME', 'XDG_DATA_HOME'
+];
+
+/**
+ * Build an allow-listed child environment for the `claude` subprocess. Only
+ * benign system vars + `CLAUDE_*` config pass through; app secrets never do.
+ * Excluding ANTHROPIC_* also forces subscription/OAuth auth.
+ * @param {object} parentEnv  Source env (usually process.env)
+ * @param {string} [home]     Override for HOME (service-user creds dir)
+ */
+export function buildChildEnv(parentEnv = process.env, home) {
+  const out = {};
+  for (const k of ENV_ALLOW) {
+    if (parentEnv[k] !== undefined) out[k] = parentEnv[k];
+  }
+  for (const k of Object.keys(parentEnv)) {
+    if (k.startsWith('CLAUDE_') && !k.startsWith('ANTHROPIC')) out[k] = parentEnv[k];
+  }
+  out.HOME = home || parentEnv.HOME;
+  return out;
+}
+
 /**
 * Run a single non-interactive Claude CLI turn.
 *
@@ -116,11 +145,8 @@ export async function runClaudeTurn(opts) {
  // positional prompt after them is swallowed ("Input must be provided..."). The
  // CLI reads the prompt from stdin in --print mode.

-  // Child env: clone, strip API key env vars so CLI uses subscription/OAuth auth
-  const childEnv = { ...process.env };
-  delete childEnv.ANTHROPIC_API_KEY;
-  delete childEnv.ANTHROPIC_AUTH_TOKEN;
-  if (home) childEnv.HOME = home;
+  // Child env: allow-list only (no app secrets reach the CLI). See buildChildEnv.
+  const childEnv = buildChildEnv(process.env, home);

  // Accumulated state
  let text = '';