diff --git a/main.ts b/main.ts index 470c542..b6d2ef4 100644 --- a/main.ts +++ b/main.ts @@ -219,10 +219,7 @@ export async function main(): Promise { // configure env allowlist for subprocess filtering if (runContext.repoSettings.envAllowlist) { - const blocked = setEnvAllowlist(runContext.repoSettings.envAllowlist); - if (blocked.length > 0) { - log.warning(`env allowlist contains blocked names (ignored): ${blocked.join(", ")}`); - } + setEnvAllowlist(runContext.repoSettings.envAllowlist); } // resolve payload to determine shell permission diff --git a/models.test.ts b/models.test.ts index 02f818c..af4f7e3 100644 --- a/models.test.ts +++ b/models.test.ts @@ -67,7 +67,7 @@ describe("getModelEnvVars", () => { describe("resolveModelSlug", () => { it("resolves known alias to concrete specifier", () => { const resolved = resolveModelSlug("anthropic/claude-opus"); - expect(resolved).toBe("anthropic/claude-opus-4-6"); + expect(resolved).toBe("anthropic/claude-opus-4-7"); }); it("resolves openai alias", () => { diff --git a/models.ts b/models.ts index ef42ee2..539cb52 100644 --- a/models.ts +++ b/models.ts @@ -58,7 +58,7 @@ export const providers = { models: { "claude-opus": { displayName: "Claude Opus", - resolve: "anthropic/claude-opus-4-6", + resolve: "anthropic/claude-opus-4-7", openRouterResolve: "openrouter/anthropic/claude-opus-4.6", preferred: true, }, @@ -176,7 +176,7 @@ export const providers = { }, "claude-opus": { displayName: "Claude Opus", - resolve: "opencode/claude-opus-4-6", + resolve: "opencode/claude-opus-4-7", openRouterResolve: "openrouter/anthropic/claude-opus-4.6", }, "claude-sonnet": { diff --git a/test/__snapshots__/models.test.ts.snap b/test/__snapshots__/models.test.ts.snap index 405d8dd..0e3a101 100644 --- a/test/__snapshots__/models.test.ts.snap +++ b/test/__snapshots__/models.test.ts.snap @@ -3,8 +3,8 @@ exports[`latest model per provider snapshot > matches snapshot 1`] = ` { "anthropic": { - "modelId": "claude-sonnet-4-6", - "releaseDate": "2026-02-17", + "modelId": "claude-opus-4-7", + "releaseDate": "2026-04-16", }, "deepseek": { "modelId": "deepseek-reasoner", @@ -23,8 +23,8 @@ exports[`latest model per provider snapshot > matches snapshot 1`] = ` "releaseDate": "2026-03-17", }, "opencode": { - "modelId": "glm-5.1", - "releaseDate": "2026-04-07", + "modelId": "claude-opus-4-7", + "releaseDate": "2026-04-16", }, "openrouter": { "modelId": "openrouter/elephant-alpha", diff --git a/test/models.test.ts b/test/models.test.ts index 60970eb..cf61dea 100644 --- a/test/models.test.ts +++ b/test/models.test.ts @@ -164,8 +164,10 @@ describe("latest model per provider snapshot", async () => { } } - // when this fails, a provider shipped a new model. check whether we need - // to add or update an alias in models.ts before updating the snapshot. + // when this fails, a provider shipped a new model. usually that just means + // bumping the `resolve` on an existing alias in models.ts (e.g. point + // "claude-opus" at the latest opus) rather than introducing a new alias. + // refresh the alias resolution first, then update this snapshot. it("matches snapshot", () => { expect(latestByProvider).toMatchSnapshot(); }); diff --git a/utils/secrets.ts b/utils/secrets.ts index 310b5dd..aeda93e 100644 --- a/utils/secrets.ts +++ b/utils/secrets.ts @@ -25,10 +25,9 @@ export function isSensitiveEnvName(key: string): boolean { // --- subprocess env filtering --- -// vars that are never passed to subprocesses, even if prefix-matched -const BLOCKED_ENV_NAMES = new Set(["GITHUB_TOKEN", "GH_TOKEN"]); - -// prefixes whose vars are safe to pass through (runner metadata, workflow context) +// prefixes whose vars are safe to pass through (runner metadata, workflow context). +// GITHUB_TOKEN/GH_TOKEN match the GITHUB_ prefix but are still filtered by default because +// isSensitiveEnvName() catches the _TOKEN suffix; users can opt in explicitly via the allowlist. const SAFE_ENV_PREFIXES = ["GITHUB_", "RUNNER_", "JAVA_HOME_", "GOROOT_"]; // exact var names safe to pass through (system + runner image toolchain) @@ -87,18 +86,15 @@ const SAFE_ENV_NAMES = new Set([ let _userAllowlist: Set | null = null; -export function setEnvAllowlist(raw: string): string[] { +export function setEnvAllowlist(raw: string): void { const names = raw .split("\n") .map((line) => line.trim()) .filter(Boolean); - const blocked = names.filter((n) => BLOCKED_ENV_NAMES.has(n)); - _userAllowlist = new Set(names.filter((n) => !BLOCKED_ENV_NAMES.has(n))); - return blocked; + _userAllowlist = new Set(names); } function isSafeEnvVar(key: string): boolean { - if (BLOCKED_ENV_NAMES.has(key)) return false; if (SAFE_ENV_NAMES.has(key)) return true; return SAFE_ENV_PREFIXES.some((p) => key.startsWith(p)); } @@ -108,7 +104,6 @@ export function filterEnv(): Record { const filtered: Record = {}; for (const [key, value] of Object.entries(process.env)) { if (value === undefined) continue; - if (BLOCKED_ENV_NAMES.has(key)) continue; const userAllowed = _userAllowlist?.has(key) ?? false; if (isSensitiveEnvName(key) && !userAllowed) continue; if (isSafeEnvVar(key) || userAllowed) {