agent: @U0AJM7X8FBR How can we give Recoup the ability to use a chartmetric API

[sweetmantech]

Automated PR from coding agent.

Prompt: @U0AJM7X8FBR How can we give Recoup the ability to use a chartmetric API key in a sandbox without exposing the key?
I want the agent in the sandbox to be able to use our chartmetric skill (in the skills repo and also installed in sandboxes) so we don't have to build a bunch of tools - it just uses bash and the skill

Summary by CodeRabbit

• New Features
  • Added support for CHARTMETRIC_REFRESH_TOKEN environment variable in sandbox configuration setup.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds optional CHARTMETRIC_REFRESH_TOKEN environment variable support to the sandbox environment by conditionally reading it from process.env and injecting it into both the sandbox environment configuration and OpenClaw setup. Eight lines added across two files with no changes to exported signatures.

Changes

Cohort / File(s)	Summary
Sandbox Environment Setup src/sandboxes/getSandboxEnv.ts, src/sandboxes/setupOpenClaw.ts	Adds conditional reading and injection of CHARTMETRIC_REFRESH_TOKEN from process.env. getSandboxEnv injects the token into returned env object when present. setupOpenClaw reads the token, logs its presence, and conditionally injects it into the OpenClaw configuration alongside existing RECOUP_* and GITHUB_TOKEN variables.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• feat: inject CLAUDE_CODE_OAUTH_TOKEN into sandbox environment #86 — Also modifies sandbox environment injection to optionally include an OAuth-style token from process.env
• fix: ensure env vars available to openclaw agent #32 — Modifies how environment variables are injected for OpenClaw in sandbox setup

Poem

🐰✨ A token hops into our sandbox today,
From CHARTMETRIC, it finds its way,
Conditionally placed with gentle care,
OpenClaw and env both get their share!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is formatted as a conversational question directed at a user, not as a standard PR title describing the change. While it relates to the core intent (giving Recoup access to Chartmetric API), it is vague, overly broad, and does not clearly communicate the specific technical change or implementation approach to reviewers scanning PR history.	Revise the title to be a clear, concise statement of the actual change, such as 'Add CHARTMETRIC_REFRESH_TOKEN injection to sandbox environments' or 'Inject Chartmetric API credentials into sandbox agent environments'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch agent/-u0ajm7x8fbr-how-can-we-give-r-1773927625973

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/sandboxes/getSandboxEnv.ts`:
- Around line 23-26: Replace the direct read of
process.env.CHARTMETRIC_REFRESH_TOKEN in getSandboxEnv.ts with a Zod-validated
parse: define a Zod schema (e.g., SandboxEnvSchema) that includes
CHARTMETRIC_REFRESH_TOKEN as a string (optional or required per spec), call
SandboxEnvSchema.parse(process.env) (or safeParse and handle errors) to produce
parsedEnv, and then set env.CHARTMETRIC_REFRESH_TOKEN =
parsedEnv.CHARTMETRIC_REFRESH_TOKEN; update any related code to use the parsed
object instead of raw process.env. Ensure you reference SandboxEnvSchema and
parsedEnv in the change and handle validation failures consistently with the
repo’s error handling.

In `@src/sandboxes/setupOpenClaw.ts`:
- Line 48: The template is interpolating raw secret text into the generated
`node -e` script (the `chartmetricRefreshToken` insertion in
src/sandboxes/setupOpenClaw.ts), which can break quoting or allow injection;
update the template to serialize the token value with a safe JS literal encoder
(e.g., use JSON.stringify(chartmetricRefreshToken) when building the
`c.env.CHARTMETRIC_REFRESH_TOKEN = ...` assignment) so the embedded value is
properly escaped and quoted before insertion into the `node -e` script.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 243d7330-11a2-49b1-964a-ea51eb9010a2

📥 Commits

Reviewing files that changed from the base of the PR and between df2e32f and 870b47e.

📒 Files selected for processing (2)

• src/sandboxes/getSandboxEnv.ts
• src/sandboxes/setupOpenClaw.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate CHARTMETRIC_REFRESH_TOKEN through a Zod env schema before use.

Line 23 reads from process.env directly; this bypasses the repo’s schema-validation requirement for TS sources. Please parse env once (e.g., with a Zod schema) and build env from parsed output.

Suggested refactor

+import { z } from "zod";
+
+const SandboxEnvSchema = z.object({
+  RECOUP_API_KEY: z.string().min(1),
+  GITHUB_TOKEN: z.string().min(1).optional(),
+  CHARTMETRIC_REFRESH_TOKEN: z.string().min(1).optional(),
+});
+
 export function getSandboxEnv(
   accountId: string
 ): Record<string, string> {
-  const apiKey = process.env.RECOUP_API_KEY;
+  const parsedEnv = SandboxEnvSchema.parse(process.env);
+  const apiKey = parsedEnv.RECOUP_API_KEY;
   if (!apiKey) {
     throw new Error("Missing RECOUP_API_KEY environment variable");
   }
@@
-  const githubToken = process.env.GITHUB_TOKEN;
+  const githubToken = parsedEnv.GITHUB_TOKEN;
@@
-  const chartmetricRefreshToken = process.env.CHARTMETRIC_REFRESH_TOKEN;
+  const chartmetricRefreshToken = parsedEnv.CHARTMETRIC_REFRESH_TOKEN;

As per coding guidelines, Use Zod for schema validation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/sandboxes/getSandboxEnv.ts` around lines 23 - 26, Replace the direct read
of process.env.CHARTMETRIC_REFRESH_TOKEN in getSandboxEnv.ts with a
Zod-validated parse: define a Zod schema (e.g., SandboxEnvSchema) that includes
CHARTMETRIC_REFRESH_TOKEN as a string (optional or required per spec), call
SandboxEnvSchema.parse(process.env) (or safeParse and handle errors) to produce
parsedEnv, and then set env.CHARTMETRIC_REFRESH_TOKEN =
parsedEnv.CHARTMETRIC_REFRESH_TOKEN; update any related code to use the parsed
object instead of raw process.env. Ensure you reference SandboxEnvSchema and
parsedEnv in the change and handle validation failures consistently with the
repo’s error handling.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Escape token values before embedding into the node -e script.

Line 48 interpolates a raw secret inside a quoted JS snippet. A token containing quote/escape characters can break command generation and opens an injection risk. Use JSON.stringify(...) for assignment literals.

Safer assignment serialization

-        ${chartmetricRefreshToken ? `c.env.CHARTMETRIC_REFRESH_TOKEN = '${chartmetricRefreshToken}';` : ""}
+        ${chartmetricRefreshToken ? `c.env.CHARTMETRIC_REFRESH_TOKEN = ${JSON.stringify(chartmetricRefreshToken)};` : ""}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	${chartmetricRefreshToken ? `c.env.CHARTMETRIC_REFRESH_TOKEN = '${chartmetricRefreshToken}';` : ""}
	${chartmetricRefreshToken ? `c.env.CHARTMETRIC_REFRESH_TOKEN = ${JSON.stringify(chartmetricRefreshToken)};` : ""}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/sandboxes/setupOpenClaw.ts` at line 48, The template is interpolating raw
secret text into the generated `node -e` script (the `chartmetricRefreshToken`
insertion in src/sandboxes/setupOpenClaw.ts), which can break quoting or allow
injection; update the template to serialize the token value with a safe JS
literal encoder (e.g., use JSON.stringify(chartmetricRefreshToken) when building
the `c.env.CHARTMETRIC_REFRESH_TOKEN = ...` assignment) so the embedded value is
properly escaped and quoted before insertion into the `node -e` script.