fix(selfhost): isolate subscription cli environments

[JSONbored]

Motivation

• Close a self-host security regression where subscription CLI subprocesses could inherit the full worker process.env, exposing runtime secrets to prompt-injectable reviewer subprocesses.
• Ensure locally-authenticated CLIs (Claude Code / Codex) run with only the minimal environment and an isolated working directory so attacker-controlled PR text cannot induce secret exfiltration.

Description

• Add a strict allowlist SUBSCRIPTION_CLI_ENV_ALLOWLIST and subscriptionCliEnv() to build a minimal env for subscription CLIs instead of spreading process.env into subprocesses.
• Introduce isolatedCliCwd() and thread cwd through the shared SpawnFn/defaultSpawn() so each CLI runs from an isolated temporary directory.
• Update createClaudeCodeAi() and createCodexAi() to use subscriptionCliEnv() and launch subprocesses with the isolated cwd and the allowlisted env only.
• Update unit tests in test/unit/selfhost-ai.test.ts to assert the subprocess env is allowlisted, that Codex flags/args remain correct, and that the subprocess cwd is isolated.

Testing

• Ran the targeted unit file npx vitest run test/unit/selfhost-ai.test.ts --reporter=dot, which passed (45 tests passed).
• Ran type checking with npm run typecheck, which completed successfully.
• Attempted full coverage with npm run test:coverage, but coverage remapping failed due to a toolchain error (ast-v8-to-istanbul TypeError: jsTokens is not a function), so coverage reporting could not be produced in this environment.

---

Codex Task

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.43%. Comparing base (6ffc2d0) to head (69e648c).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1392   +/-   ##
=======================================
  Coverage   95.43%   95.43%           
=======================================
  Files         202      202           
  Lines       21743    21751    +8     
  Branches     7856     7859    +3     
=======================================
+ Hits        20750    20758    +8     
  Misses        416      416           
  Partials      577      577           

Files with missing lines	Coverage Δ
src/selfhost/ai.ts	99.39% <100.00%> (+0.03%)	⬆️

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gittensory-orb]

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review — safe to merge

2 files · 1 AI reviewers · no blockers · readiness 48/100 · CI green · unknown

✅ Approved — safe to merge

Review summary
This PR replaces a fragile denylist of specific API-key env vars with a strict allowlist, closing a structural security hole where any new secret added to the worker env would be silently inherited by prompt-injectable CLI subprocesses. The allowlist is appropriately narrow (home/proxy/cert/locale/path only), the OAuth token is threaded through `extra` rather than being allowlisted globally, and the isolated `cwd` adds a meaningful second layer of containment. The implementation is correct, the test coverage is substantive (allowlist copy, undefined-skipping in `extra`, env and cwd assertions in the Codex test), and CI is fully green.

Nits (5)

• src/selfhost/ai.ts `isolatedCliCwd()`: the temp directory is created on every `.run()` call and never deleted — both `createClaudeCodeAi` and `createCodexAi` should clean up with `rmdir(cwd, { recursive: true })` in a `try/finally` around the spawn, or the worker will accumulate empty dirs in `/tmp` indefinitely.
• src/selfhost/ai.ts `SUBSCRIPTION_CLI_ENV_ALLOWLIST`: `TMPDIR` is absent; on macOS the default `TMPDIR` is a user-scoped path under `/var/folders/`, so subprocesses that internally create temp files silently fall back to `/tmp` — worth adding for portability.
• src/selfhost/ai.ts `subscriptionCliEnv()`: the `extra` parameter accepts an unrestricted `Record<string, string | undefined>`, which lets any caller bypass the allowlist; narrowing it to `Partial<{ CLAUDE_CODE_OAUTH_TOKEN: string }>` (or similar named union) would make the intended scope explicit and prevent future accidental widening.
• src/selfhost/ai.ts `createClaudeCodeAi` / `createCodexAi`: wrap the spawn call in `try/finally { await rm(cwd, { recursive: true }) }` so `isolatedCliCwd()` temp directories are cleaned up after each invocation regardless of success or failure.
• src/selfhost/ai.ts: add `TMPDIR` to `SUBSCRIPTION_CLI_ENV_ALLOWLIST` for macOS compatibility where `TMPDIR` points to a user-specific writable path rather than `/tmp`.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewers, synthesized
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:M.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	26 open PR(s), 9 likely reviewable, 17 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 81 PR(s), 297 issue(s).
Gate result	✅ Passing	No configured blocker found.

Nits — 2 non-blocking

• Repository config was not parsed
• No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 81 PR(s), 297 issue(s).
• Related work: Titles/paths share 7 meaningful terms. (PR #1537, PR #1546)
• Related work: Titles/paths share 6 meaningful terms. (PR #1492, PR #1554)
• Related work: Titles/paths share 6 meaningful terms. (PR #1537, PR #1545)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Explain no-issue PR.
• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

Review details

Generated from public PR metadata and the diff. Advisory only; deterministic signals remain authoritative.

This PR replaces a fragile denylist of specific API-key env vars with a strict allowlist, closing a structural security hole where any new secret added to the worker env would be silently inherited by prompt-injectable CLI subprocesses. The allowlist is appropriately narrow (home/proxy/cert/locale/path only), the OAuth token is threaded through `extra` rather than being allowlisted globally, and the isolated `cwd` adds a meaningful second layer of containment. The implementation is correct, the test coverage is substantive (allowlist copy, undefined-skipping in `extra`, env and cwd assertions in the Codex test), and CI is fully green.

Nits (5)

• src/selfhost/ai.ts `isolatedCliCwd()`: the temp directory is created on every `.run()` call and never deleted — both `createClaudeCodeAi` and `createCodexAi` should clean up with `rmdir(cwd, { recursive: true })` in a `try/finally` around the spawn, or the worker will accumulate empty dirs in `/tmp` indefinitely.
• src/selfhost/ai.ts `SUBSCRIPTION_CLI_ENV_ALLOWLIST`: `TMPDIR` is absent; on macOS the default `TMPDIR` is a user-scoped path under `/var/folders/`, so subprocesses that internally create temp files silently fall back to `/tmp` — worth adding for portability.
• src/selfhost/ai.ts `subscriptionCliEnv()`: the `extra` parameter accepts an unrestricted `Record<string, string | undefined>`, which lets any caller bypass the allowlist; narrowing it to `Partial<{ CLAUDE_CODE_OAUTH_TOKEN: string }>` (or similar named union) would make the intended scope explicit and prevent future accidental widening.
• src/selfhost/ai.ts `createClaudeCodeAi` / `createCodexAi`: wrap the spawn call in `try/finally { await rm(cwd, { recursive: true }) }` so `isolatedCliCwd()` temp directories are cleaned up after each invocation regardless of success or failure.
• src/selfhost/ai.ts: add `TMPDIR` to `SUBSCRIPTION_CLI_ENV_ALLOWLIST` for macOS compatibility where `TMPDIR` points to a user-specific writable path rather than `/tmp`.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review