feat: agent-sdk-runner spawns hermetic children via complete Options.env

The historical 'env: breaks SDK auth' failure was partial-env replacement:
Options.env replaces the child's entire environment, so objects lacking
ANTHROPIC_API_KEY killed auth. Passing the complete hermetic env (key +
PATH + redirected CLAUDE_CONFIG_DIR/GSTACK_HOME) works — validated live
via query() with a Bash tool call (success, real cost, Conductor vars
scrubbed). Per-test opts.env merges last; ambient key mutation still
works because the builder reads process.env at call time.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-06-12 11:21:31 -07:00
parent b89ce2677c
commit 704619870c
2 changed files with 20 additions and 8 deletions
+7 -1
View File
@@ -347,7 +347,13 @@ describe('runAgentSdkTest — options propagation', () => {
expect(opts.permissionMode).toBe('bypassPermissions');
expect(opts.allowDangerouslySkipPermissions).toBe(true);
expect(opts.settingSources).toEqual([]);
expect(opts.env).toEqual({ ANTHROPIC_API_KEY: 'fake' });
// env is the COMPLETE hermetic env with the per-test override merged
// last — partial pass-through was the documented SDK auth-breaker
// (Options.env replaces the child's entire environment).
expect(opts.env?.ANTHROPIC_API_KEY).toBe('fake');
expect(opts.env?.PATH).toBeTruthy();
expect(opts.env?.CLAUDE_CONFIG_DIR).toMatch(/\/\.claude$/);
expect(opts.env?.GSTACK_HOME).toContain('gstack-home');
expect(opts.pathToClaudeCodeExecutable).toBe('/fake/path/claude');
});