openabdev
diff --git a/‎charts/openab/templates/configmap.yaml‎
Lines changed: 17 additions & 2 deletions b/‎charts/openab/templates/configmap.yaml‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎charts/openab/tests/configmap_test.yaml‎
Lines changed: 32 additions & 5 deletions b/‎charts/openab/tests/configmap_test.yaml‎
Lines changed: 32 additions & 5 deletions
diff --git a/‎config.toml.example‎
Lines changed: 32 additions & 6 deletions b/‎config.toml.example‎
Lines changed: 32 additions & 6 deletions
@@ -106,8 +106,23 @@ data:
     {{- if $cfg.env }}
     env = { {{ $first := true }}{{ range $k, $v := $cfg.env }}{{ if not $first }}, {{ end }}{{ $k }} = {{ $v | toJson }}{{ $first = false }}{{ end }} }
     {{- end }}
-    {{- if $cfg.inheritEnv }}
-    inherit_env = {{ $cfg.inheritEnv | toJson }}
+    {{- if hasKey $cfg "inheritEnv" }}
+    {{- fail (printf "agents.%s.inheritEnv was removed -- use agents.%s.clearEnv.allowList instead (BREAKING in beta; see CHANGELOG)" $name $name) }}
+    {{- end }}
+    {{- $clearEnv := $cfg.clearEnv | default dict }}
+    {{- $clearEnvDisabled := and (hasKey $clearEnv "enabled") (not $clearEnv.enabled) }}
+    {{- if or $clearEnvDisabled $clearEnv.allowList $clearEnv.denyList }}
+
+    [agent.clear_env]
+    {{- if $clearEnvDisabled }}
+    enabled = false
+    {{- end }}
+    {{- if $clearEnv.allowList }}
+    allow_list = {{ $clearEnv.allowList | toJson }}
+    {{- end }}
+    {{- if $clearEnv.denyList }}
+    deny_list = {{ $clearEnv.denyList | toJson }}
+    {{- end }}
     {{- end }}
 
     [pool]
 
@@ -143,18 +143,45 @@ tests:
           path: data["config.toml"]
           pattern: 'max_bot_turns = 30'
 
-  - it: renders inherit_env as TOML array
+  - it: renders clear_env.allow_list as TOML array
     set:
-      agents.kiro.inheritEnv:
+      agents.kiro.clearEnv.allowList:
         - "API_BASE_URL"
         - "MODEL_NAME"
     asserts:
       - matchRegex:
           path: data["config.toml"]
-          pattern: 'inherit_env = \["API_BASE_URL","MODEL_NAME"\]'
+          pattern: '\[agent\.clear_env\]'
+      - matchRegex:
+          path: data["config.toml"]
+          pattern: 'allow_list = \["API_BASE_URL","MODEL_NAME"\]'
+
+  - it: renders clear_env.enabled = false when disabled
+    set:
+      agents.kiro.clearEnv.enabled: false
+      agents.kiro.clearEnv.denyList:
+        - "DISCORD_BOT_TOKEN"
+    asserts:
+      - matchRegex:
+          path: data["config.toml"]
+          pattern: '\[agent\.clear_env\]'
+      - matchRegex:
+          path: data["config.toml"]
+          pattern: 'enabled = false'
+      - matchRegex:
+          path: data["config.toml"]
+          pattern: 'deny_list = \["DISCORD_BOT_TOKEN"\]'
 
-  - it: does not render inherit_env when unset
+  - it: does not render clear_env section when unset
     asserts:
       - notMatchRegex:
           path: data["config.toml"]
-          pattern: 'inherit_env'
+          pattern: '\[agent\.clear_env\]'
+
+  - it: fails with helpful message when legacy inheritEnv is used
+    set:
+      agents.kiro.inheritEnv:
+        - "API_BASE_URL"
+    asserts:
+      - failedTemplate:
+          errorPattern: 'inheritEnv was removed'
@@ -60,13 +60,39 @@ working_dir = "/home/agent"
 # Note: env vars here can override baseline vars (HOME, PATH, USER) if needed.
 # env = { ANTHROPIC_API_KEY = "${ANTHROPIC_API_KEY}" }
 #
-# By default, the agent subprocess only inherits these baseline vars:
-#   Linux/macOS: HOME, PATH, USER
-#   Windows:     USERPROFILE, USERNAME, PATH, SystemRoot, SystemDrive
+# Env inheritance from the OAB process is controlled by the [agent.clear_env]
+# table. The default is secure: the subprocess starts with env_clear() and
+# only receives the baseline (HOME/PATH/USER on Linux/macOS,
+# USERPROFILE/USERNAME/PATH/SystemRoot/SystemDrive on Windows) plus
+# everything in [agent].env above.
 #
-# To pass additional env vars from the OAB process (e.g. vars injected via K8s envFrom),
-# list them in inherit_env. Keys in [agent].env take precedence over inherited ones.
-# inherit_env = ["API_BASE_URL", "MODEL_NAME"]
+# Decision tree (when [agent.clear_env] is set):
+#   if enabled (default true):
+#     if allow_list non-empty   → only those keys pass through from process env
+#     elif deny_list non-empty  → all process env passes through EXCEPT deny_list
+#     else                       → nothing inherited (pure secure default)
+#   else (enabled = false):
+#     full process env inherited; both lists ignored (pure escape hatch)
+#
+# allow_list takes priority over deny_list when both are set under enabled=true.
+# [agent].env always wins on key conflict (highest precedence).
+#
+# Example: allow-list mode — explicitly pass a small set of keys.
+# [agent.clear_env]
+# allow_list = ["API_BASE_URL", "MODEL_NAME"]
+#
+# Example: deny-list mode for AWS-IRSA / web-identity workloads. K8s auto-
+# injects many AWS_* env vars (AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, ...);
+# listing every benign one in allow_list is brittle. Inherit everything and
+# strip known secrets:
+# [agent.clear_env]
+# deny_list = ["DISCORD_BOT_TOKEN", "SLACK_BOT_TOKEN", "ANTHROPIC_API_KEY"]
+#
+# Example: pure escape hatch — disable filtering entirely (NOT recommended,
+# every secret in the OAB env is exposed to the agent and exfil-able via
+# prompt injection).
+# [agent.clear_env]
+# enabled = false
 
 # [agent]
 # command = "codex"