shell_exec only receives HOME/PATH/PWD in Docker despite env vars present in PID 1 and passthrough allowlists

[shmakes]

Description

Summary

In Docker on v0.6.4, shell_exec subprocesses only see a minimal environment (HOME, PATH, PWD) even though the full environment is present in the running openfang process and config passthrough/allowlists are set.

This looks related to the subprocess env-clearing behavior and may be similar in class to #660.

Version

• OpenFang: v0.6.4
• Deployment: Docker Compose
• Restart method: always docker compose down && docker compose up -d

Actual

When the agent runs:

printenv

the complete output is only:

HOME=/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/linuxbrew/.linuxbrew/bin
PWD=/data/workspaces/assistant

So shell_exec is getting only a minimal environment.

Proof the env vars are in the OpenFang process

Running this through the agent:

cat /proc/1/environ

shows PID 1 has the expected variables, including:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/linuxbrew/.linuxbrew/bin
GOG_KEYRING_BACKEND=file
GOG_CONFIG_DIR=/root/.config/gogcli
OPENFANG_ALLOW_NO_AUTH=1
OPENFANG_HOME=/data
GOG_ACCOUNT=<REDACTED>
GEMINI_API_KEY=<REDACTED>
OPENAI_API_KEY=<REDACTED>
GOG_KEYRING_PASSWORD=<REDACTED>
TZ=America/Chicago
HOME=/root

So the environment is definitely present in the openfang service process, but not in the subprocess used by shell_exec.

Docker Compose environment resolution is correct

docker compose config resolves the environment correctly before container creation. Relevant section:

environment:
  GEMINI_API_KEY: <REDACTED>
  GOG_ACCOUNT: <REDACTED>
  GOG_CONFIG_DIR: /root/.config/gogcli
  GOG_KEYRING_BACKEND: file
  GOG_KEYRING_PASSWORD: <REDACTED>
  OPENAI_API_KEY: <REDACTED>
  OPENFANG_ALLOW_NO_AUTH: "1"
  OPENFANG_HOME: /data
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/linuxbrew/.linuxbrew/bin
  TZ: America/Chicago

Config used

Redacted version of relevant config:

api_listen = "0.0.0.0:50052"
api_key = "<REDACTED>"

[agents.default.tools]
allow = ["*"]

[agents.default.capabilities]
shell = ["*"]
tools = ["*"]
network = ["*"]

[agents.default.exec_policy]
mode = "full"
env_passthrough = ["*"]

[tools.shell_exec]
description = "Execute a shell command."
env_allowlist = ["*"]

[exec_policy]
mode = "full"
safe_bins = ["ls", "cat", "grep", "python3", "gog", "sh", "bash", "env", "printenv"]
env_passthrough = ["*"]

Notes

• OpenFang itself can use OPENAI_API_KEY, so the main service can read env vars.
• The failure seems specific to the subprocess execution path used by shell_exec.
• This may be related to the subprocess env_clear() behavior described in the project security model, but it appears the configured allow/passthrough lists are not being applied to shell_exec.
• Related issue: [BUG] MCP servers don't receive credentials from .env/vault — only process env vars #660

Expected Behavior

Expected

Commands run through shell_exec should receive the explicitly allowed environment variables, or at minimum honor:

• top-level exec_policy.env_passthrough
• tool env_allowlist
• agent-level shell/exec settings

Steps to Reproduce

Reproduction

1. Start OpenFang v0.6.4 in Docker Compose with env vars defined in environment:
2. Confirm docker compose config resolves those variables
3. Confirm PID 1 inside the container has them via cat /proc/1/environ
4. In OpenFang console, ask the agent to run printenv
5. Observe only HOME, PATH, and PWD

OpenFang Version

0.6.4

Operating System

Linux (x86_64)

Logs / Screenshots

No response