Skip to content

Add environment variable discovery and injection for repository providers#9

Merged
BillJr99 merged 1 commit into
mainfrom
claude/admiring-newton-FuK5K-env-keys
May 25, 2026
Merged

Add environment variable discovery and injection for repository providers#9
BillJr99 merged 1 commit into
mainfrom
claude/admiring-newton-FuK5K-env-keys

Conversation

@BillJr99
Copy link
Copy Markdown
Owner

@BillJr99 BillJr99 commented May 25, 2026

Summary

This PR adds support for auto-discovering environment variables from .env.example files in cloned repositories and injecting them as secrets through the proxy's Secrets UI. Repository providers can now declare which environment keys their build commands and spawn process require, with values supplied via the proxy's existing secrets mechanism.

Key Changes

  • Environment variable discovery: Added _parse_env_example() to extract KEY names from .env.example, .env.sample, or .env.template files in repository workdirs
  • Workdir .env file generation: Added _write_workdir_env_file() to write a .env file into the cloned repository containing only the environment variables that are actually set, allowing dotenv-style loaders to pick them up
  • Repository provider env_keys field: Extended the repository provider spec to include an env_keys list that gets auto-discovered during clone/build and can be manually edited
  • Clone and build resilience: Modified /api/clone-and-build to parse .env.example after cloning but before building, and return discovered env_keys even when build commands fail (allowing users to populate secrets and retry on next restart)
  • New /api/scan-env-example endpoint: Allows re-scanning .env.example without re-running the full build
  • Process environment injection: Updated ProcessSession to accept env_keys and read fresh values from MCP_ENV_FILE on each spawn, enabling secrets added via the UI after server start to be picked up without a full restart
  • UI enhancements: Added env keys editor in the repository provider form with "↻ Re-scan" button, improved help text around build commands vs spawn commands, and integrated env key discovery into the wizard flow
  • Server-side materialization: Updated materialize_repository() to write .env files before running build commands, ensuring build scripts that require secrets can access them

Implementation Details

  • Environment variables are only written to .env if they have non-empty values in the current process environment, preventing unset placeholders from leaking
  • The session registry key now includes env_keys tuple to ensure different env-key sets get distinct subprocesses
  • Build command failures are tolerated when env_keys are missing — the wizard surfaces the error but still continues to the Secrets step with discovered keys
  • The _build_env() method in ProcessSession re-reads MCP_ENV_FILE on each spawn to pick up secrets added via the UI after server start
  • Env keys are deduplicated across tool secrets and repository env_keys
  • Empty env_keys lists are omitted from YAML output for cleaner configs

https://claude.ai/code/session_01R2Vi6NE4wGxwv6rZ2HEXji

@claude
Auto-discover repo .env.example keys; surface as secrets
79e0c36 
Real-world MCP repos (e.g. felipfr/linkedin-mcpserver) load secrets via
tsx --env-file=.env at server start, so the cloned workdir needs a
populated .env.  Reuse the existing Secrets manager: parse .env.example
after clone, declare the keys in repository.env_keys, and materialise
<workdir>/.env from os.environ / MCP_ENV_FILE before every build and
every subprocess spawn.

- frontend: /api/clone-and-build parses .env.example, returns env_keys
  even when a build command fails (so the wizard can still drive the
  user to the Secrets step). New /api/scan-env-example endpoint for
  the editor's re-scan button.
- server: materialize_repository writes <workdir>/.env BEFORE running
  build commands so dotenv-style scripts see the values on first build.
- process_runner: ProcessSession accepts env_keys, refreshes them from
  MCP_ENV_FILE on every _start so new secrets picked up without restart.
- _extract_secret_env_keys now folds in repository.env_keys, so the
  missing-secrets badge and Secrets modal work unchanged.
- Wizard: build failures no longer abort — placeholder tool is inserted,
  user proceeds to fill secrets, next restart's materialize_repository
  succeeds.  Help text clarifies build vs spawn command.
- Editor: env-keys list + "↻ Re-scan .env.example" button.
- README: "Secrets from .env.example" and "Build failures while secrets
  are missing" sections.
@BillJr99 BillJr99 merged commit 5b8cff3 into main May 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BillJr99 @claude