fix(security): prevent env disclosure in createSpawnEnv

[JasonOA888]

Fixes #1186

Security fix: createSpawnEnv no longer inherits ALL environment variables from main process.

Before: Copied ALL env vars (AWS keys, API tokens, secrets)
After: Only passes explicitly configured MCP server env vars

This prevents sensitive information disclosure to MCP servers.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security fix by modifying the createSpawnEnv function. The change ensures that child processes spawned for MCP servers receive only explicitly configured environment variables, thereby preventing the unintended disclosure of sensitive information such as API keys or cloud credentials that might be present in the main process's environment.

Highlights

• Security Enhancement: The createSpawnEnv function has been updated to prevent the disclosure of sensitive environment variables to spawned MCP server processes. It no longer inherits all environment variables from the main process.
• Environment Variable Handling: The function now explicitly passes only the environment variables defined in the MCP server configuration, ensuring a minimal and secure environment for child processes.

Changelog

• apps/stage-tamagotchi/src/main/services/airi/mcp-servers/index.ts
  • Refactored createSpawnEnv to no longer inherit all process.env variables.
  • Added JSDoc comments explaining the security implications of environment variable handling.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses a critical security vulnerability by preventing the leakage of environment variables from the main process to spawned MCP server processes. The change in createSpawnEnv is a significant security improvement. I have one minor suggestion to improve the code's conciseness, but the core logic of the fix is sound.

[gemini-code-assist]

While the current implementation is correct, it can be made more concise. You can use the nullish coalescing operator (??) to handle the undefined case for overrides and simplify the function body to a single line.

  return { ...(overrides ?? {}) }

[github-actions]

⏳ Approval required for deploying to Cloudflare Workers (Preview) for stage-web.

Name	Link
🔭 Waiting for approval	For maintainers, approve here

Hey, @nekomeowww, @sumimakito, @luoling8192, @LemonNekoGH, kindly take some time to review and approve this deployment when you are available. Thank you! 🙏

[LemonNekoGH]

This issue was temporary disappeared when #1204 merged, can I close it?

We can add a co-athuor for you in next PR which fixes #1186.