fix(openshell): pass workspace env vars to sandbox create

[bmahabirbu]

Fixes #2246.

Summary

• pass workspace environment entries through the OpenShell workspace creation path
• add repeatable --env KEY=VALUE support to the OpenShell CLI wrapper used by Kaiden
• cover the new wiring with focused unit tests and a local OpenShell smoke test

Test plan

• pnpm exec vitest run packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• openshell sandbox create --name <temp> --from base --env KAIDEN_ENV_VERIFY=works --no-keep --no-tty -- sh -lc 'printf %s "$KAIDEN_ENV_VERIFY"'

Made with Cursor

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: df66abaf-2304-4e2e-9c9a-4afd1d0b1877

📥 Commits

Reviewing files that changed from the base of the PR and between 7311b09 and bfd197c.

📒 Files selected for processing (5)

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout. (10)

• GitHub Check: unit tests / ubuntu-24.04
• GitHub Check: linter, formatters
• GitHub Check: smoke-e2e-tests (prod) / ubuntu-24.04 (ollama)
• GitHub Check: unit tests / macos-15
• GitHub Check: Windows
• GitHub Check: smoke-e2e-tests (dev) / ubuntu-24.04 (ollama)
• GitHub Check: unit tests / windows-2022
• GitHub Check: macOS
• GitHub Check: Linux
• GitHub Check: typecheck

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use /@/ path aliases instead of relative paths for imports outside the current directory's module group; use relative imports only for sibling modules within the same directory

Files:

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

**/*.spec.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.spec.{ts,tsx,js,jsx}: Use test() instead of it() for test cases in Vitest unit tests
Use vi.mock(import('...')) for auto-mocking modules in unit tests; avoid manual mock factories when possible
Use vi.resetAllMocks() in beforeEach hooks instead of vi.clearAllMocks() for resetting mocks between tests
When an auto-mocked function or class method needs a real implementation, use vi.mocked(...) with the prototype pattern for class methods: vi.mocked(MyClass.prototype.myMethod).mockImplementation(...)

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts

packages/main/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/main/src/**/*.{ts,tsx}: Use ipcHandle() to expose handlers in the main process with naming convention <registry-name>:<action> (e.g., container-provider-registry:listContainers)
Use apiSender.send() to send events from main process to renderer for real-time updates
Long-running operations should use TaskManager.createTask() with title and action configuration

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

packages/{main,renderer,preload}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Container operations must include engineId parameter to identify the container engine

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

🧠 Learnings (2)

📚 Learning: 2026-05-12T17:14:02.153Z

Learnt from: MarsKubeX
Repo: openkaiden/kaiden PR: 1850
File: packages/renderer/src/lib/agent-workspaces/AgentWorkspaceList.svelte:66-70
Timestamp: 2026-05-12T17:14:02.153Z
Learning: When reviewing code that uses `AgentWorkspaceSummaryUI.runtime`, treat it as a required, non-null `string` per the `openkaiden/kdn-api` 0.12.0 schema. Therefore, code like `a.runtime.localeCompare(b.runtime)` is safe and should not trigger warnings about possible `undefined`/`null` values or suggestions to use nullish coalescing/optional chaining for `runtime` (unless the current local types still mark `runtime` as optional, indicating a schema/version mismatch).

Applied to files:

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

📚 Learning: 2026-03-09T08:47:09.657Z

Learnt from: benoitf
Repo: kortex-hub/kortex PR: 1077
File: packages/main/src/plugin/skill/skill-manager.ts:80-109
Timestamp: 2026-03-09T08:47:09.657Z
Learning: In the kortex-hub/kortex repository, IPC handlers (via ipcHandle()) may be registered directly inside feature manager/service classes (e.g., SkillManager in packages/main/src/plugin/skill/skill-manager.ts) rather than exclusively in packages/main/src/plugin/index.ts. Treat this as an accepted design pattern for files under the plugin directory. Reviewers should not require centralization in index.ts; allow IPC registration proximity to the feature that owns the handler. When reviewing code, accept direct ipcHandle() registrations inside feature managers and ensure the pattern is consistently applied across similar feature-manager modules.

Applied to files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

🔇 Additional comments (5)

packages/api/src/openshell-gateway-info.ts (1)

88-88: LGTM!

packages/main/src/plugin/openshell-cli/openshell-cli.ts (1)

137-141: LGTM!

Also applies to: 158-158, 321-321

packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts (1)

168-180: LGTM!

Also applies to: 250-277

packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts (1)

185-195: LGTM!

packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts (1)

431-448: LGTM!

---

📝 Walkthrough

Walkthrough

Adds environment variable propagation for OpenShell sandboxes. A new env?: Record<string, string> field is added to CreateSandboxOptions. OpenshellCli.createSandbox maps each entry to repeatable --env CLI flags and redacts values in logs. AgentWorkspaceManager.createOpenshell derives this map from workspace.environment, filtering to non-empty string values.

Changes

Environment Variable Propagation to OpenShell Sandbox

Layer / File(s)	Summary
CreateSandboxOptions env field packages/api/src/openshell-gateway-info.ts	Adds optional env?: Record<string, string> to the CreateSandboxOptions interface.
--env flag construction and redaction in OpenshellCli packages/main/src/plugin/openshell-cli/openshell-cli.ts, packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts	Iterates options.env and appends --env key=value arguments before the -- separator. Enables redact: true in runCli and expands sensitive flags to include --env so environment values are obscured in logs. Tests verify flag placement and redaction behavior.
workspace.environment wiring in AgentWorkspaceManager packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts, packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts	Filters workspace.environment entries to non-empty string values, constructs a name: value map, and passes to createSandbox as env. New test confirms environment entries are forwarded correctly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• openkaiden/kaiden#2020: Introduced the OpenshellCli.createSandbox wrapper and CreateSandboxOptions that this PR extends with env support.
• openkaiden/kaiden#2135: Added --no-tty/noTty to createSandbox argument construction in the same code paths modified here for --env.
• openkaiden/kaiden#2187: Refactored the createSandbox call path in AgentWorkspaceManager.createOpenshell where this PR adds workspace.environment → options.env wiring.

Suggested reviewers

• gastoner
• fbricon
• benoitf

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: passing workspace environment variables to the OpenShell sandbox during creation, which aligns with the primary objective.
Description check	✅ Passed	The description is directly related to the changeset, explaining the workspace environment variable passing feature, OpenShell CLI wrapper updates, and test coverage.
Linked Issues check	✅ Passed	The PR fully addresses #2246 by implementing workspace environment variable passing via --env flags to the OpenShell sandbox, matching the requested solution approach.
Out of Scope Changes check	✅ Passed	All changes are within scope: API interface updates, workspace manager logic, OpenShell CLI wrapper modifications, and comprehensive unit tests for the new --env functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/main/src/plugin/openshell-cli/openshell-cli.ts`:
- Around line 137-141: The environment variable values in the options.env array
are being added as raw KEY=value pairs to the args array, and these args are
subsequently logged by the runCli() function, which can expose secrets in the
application logs. Modify the code to redact or mask the env values in the args
array that will be logged while ensuring the actual CLI execution receives the
unredacted values. This requires separating the logging representation of the
arguments from the actual arguments passed to the CLI, or implementing a
redaction mechanism that masks sensitive --env argument values before they reach
the logging layer.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 597ce298-7641-441f-821e-596bdd31fb9a

📥 Commits

Reviewing files that changed from the base of the PR and between 677e04b and 7311b09.

📒 Files selected for processing (5)

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts

📜 Review details

⏰ Context from checks skipped due to timeout. (10)

• GitHub Check: linter, formatters
• GitHub Check: typecheck
• GitHub Check: smoke-e2e-tests (prod) / ubuntu-24.04 (ollama)
• GitHub Check: smoke-e2e-tests (dev) / ubuntu-24.04 (ollama)
• GitHub Check: macOS
• GitHub Check: unit tests / ubuntu-24.04
• GitHub Check: unit tests / macos-15
• GitHub Check: unit tests / windows-2022
• GitHub Check: Windows
• GitHub Check: Linux

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use /@/ path aliases instead of relative paths for imports outside the current directory's module group; use relative imports only for sibling modules within the same directory

Files:

• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/api/src/openshell-gateway-info.ts

packages/main/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/main/src/**/*.{ts,tsx}: Use ipcHandle() to expose handlers in the main process with naming convention <registry-name>:<action> (e.g., container-provider-registry:listContainers)
Use apiSender.send() to send events from main process to renderer for real-time updates
Long-running operations should use TaskManager.createTask() with title and action configuration

Files:

• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

packages/{main,renderer,preload}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Container operations must include engineId parameter to identify the container engine

Files:

• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

**/*.spec.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.spec.{ts,tsx,js,jsx}: Use test() instead of it() for test cases in Vitest unit tests
Use vi.mock(import('...')) for auto-mocking modules in unit tests; avoid manual mock factories when possible
Use vi.resetAllMocks() in beforeEach hooks instead of vi.clearAllMocks() for resetting mocks between tests
When an auto-mocked function or class method needs a real implementation, use vi.mocked(...) with the prototype pattern for class methods: vi.mocked(MyClass.prototype.myMethod).mockImplementation(...)

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts

🧠 Learnings (2)

📚 Learning: 2026-03-09T08:47:09.657Z

Learnt from: benoitf
Repo: kortex-hub/kortex PR: 1077
File: packages/main/src/plugin/skill/skill-manager.ts:80-109
Timestamp: 2026-03-09T08:47:09.657Z
Learning: In the kortex-hub/kortex repository, IPC handlers (via ipcHandle()) may be registered directly inside feature manager/service classes (e.g., SkillManager in packages/main/src/plugin/skill/skill-manager.ts) rather than exclusively in packages/main/src/plugin/index.ts. Treat this as an accepted design pattern for files under the plugin directory. Reviewers should not require centralization in index.ts; allow IPC registration proximity to the feature that owns the handler. When reviewing code, accept direct ipcHandle() registrations inside feature managers and ensure the pattern is consistently applied across similar feature-manager modules.

Applied to files:

• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts

📚 Learning: 2026-05-12T17:14:02.153Z

Learnt from: MarsKubeX
Repo: openkaiden/kaiden PR: 1850
File: packages/renderer/src/lib/agent-workspaces/AgentWorkspaceList.svelte:66-70
Timestamp: 2026-05-12T17:14:02.153Z
Learning: When reviewing code that uses `AgentWorkspaceSummaryUI.runtime`, treat it as a required, non-null `string` per the `openkaiden/kdn-api` 0.12.0 schema. Therefore, code like `a.runtime.localeCompare(b.runtime)` is safe and should not trigger warnings about possible `undefined`/`null` values or suggestions to use nullish coalescing/optional chaining for `runtime` (unless the current local types still mark `runtime` as optional, indicating a schema/version mismatch).

Applied to files:

• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/api/src/openshell-gateway-info.ts

🔇 Additional comments (4)

packages/api/src/openshell-gateway-info.ts (1)

88-88: LGTM!

packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts (1)

168-180: LGTM!

Also applies to: 250-265

packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts (1)

185-193: LGTM!

packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts (1)

431-448: LGTM!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[jeffmaury]

suggestion: should be typed as Record<string, string>

[bmahabirbu]

updated! thanks for the suggesiton

[MarsKubeX]

LGTM. Only take a look to the codeRabbit comment regarding leaking secrets.