agent: @U0AJM7X8FBR How can we give Recoup the ability to use a chartmetric API#107
Open
recoup-coding-agent wants to merge 3 commits intomainfrom
Open
agent: @U0AJM7X8FBR How can we give Recoup the ability to use a chartmetric API#107recoup-coding-agent wants to merge 3 commits intomainfrom
recoup-coding-agent wants to merge 3 commits intomainfrom
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (3)
📝 WalkthroughWalkthroughgetSandboxEnv and setupOpenClaw were updated to include a CHARTMETRIC_BASE_URL environment variable set to "https://recoup-api.vercel.app/api/chartmetric" (always present in getSandboxEnv and injected into OpenClaw config/logging). No other env-injection logic was changed. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/sandboxes/setupOpenClaw.ts (1)
47-48: Consider escaping token values in shell-interpolated strings.Both
GITHUB_TOKENandCHARTMETRIC_REFRESH_TOKENare directly interpolated into a JavaScript string inside a shell command. If a token contains single quotes or other special characters, it could break the script or cause unexpected behavior.While environment variables are typically trusted, consider escaping or using a safer injection method (e.g., passing values via stdin or environment variables to the Node subprocess).
♻️ Example safer approach using environment variables
- const injectEnv = await sandbox.runCommand({ - cmd: "sh", - args: [ - "-c", - `node -e " - const fs = require('fs'); - const p = require('os').homedir() + '/.openclaw/openclaw.json'; - const c = JSON.parse(fs.readFileSync(p, 'utf8')); - c.env = c.env || {}; - c.env.RECOUP_API_KEY = '${process.env.RECOUP_API_KEY}'; - c.env.RECOUP_ACCOUNT_ID = '${accountId}'; - ${githubToken ? `c.env.GITHUB_TOKEN = '${githubToken}';` : ""} - ${chartmetricRefreshToken ? `c.env.CHARTMETRIC_REFRESH_TOKEN = '${chartmetricRefreshToken}';` : ""} - ... - "`, - ], - }); + const injectEnv = await sandbox.runCommand({ + cmd: "sh", + args: [ + "-c", + `node -e " + const fs = require('fs'); + const p = require('os').homedir() + '/.openclaw/openclaw.json'; + const c = JSON.parse(fs.readFileSync(p, 'utf8')); + c.env = c.env || {}; + c.env.RECOUP_API_KEY = process.env.INJECT_RECOUP_API_KEY; + c.env.RECOUP_ACCOUNT_ID = process.env.INJECT_RECOUP_ACCOUNT_ID; + if (process.env.INJECT_GITHUB_TOKEN) c.env.GITHUB_TOKEN = process.env.INJECT_GITHUB_TOKEN; + if (process.env.INJECT_CHARTMETRIC_REFRESH_TOKEN) c.env.CHARTMETRIC_REFRESH_TOKEN = process.env.INJECT_CHARTMETRIC_REFRESH_TOKEN; + ... + "`, + ], + env: { + INJECT_RECOUP_API_KEY: process.env.RECOUP_API_KEY, + INJECT_RECOUP_ACCOUNT_ID: accountId, + ...(githubToken && { INJECT_GITHUB_TOKEN: githubToken }), + ...(chartmetricRefreshToken && { INJECT_CHARTMETRIC_REFRESH_TOKEN: chartmetricRefreshToken }), + }, + });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/sandboxes/setupOpenClaw.ts` around lines 47 - 48, The template currently interpolates githubToken and chartmetricRefreshToken directly into the shell string setting c.env.GITHUB_TOKEN and c.env.CHARTMETRIC_REFRESH_TOKEN, which can break if tokens contain quotes or special chars; update the code in src/sandboxes/setupOpenClaw.ts to safely inject these values by escaping or serializing them (e.g., replace the direct interpolation with JSON.stringify(githubToken) and JSON.stringify(chartmetricRefreshToken) or otherwise escape single quotes) or, preferably, pass them via the spawned process environment instead of embedding in the shell string; target the exact interpolations that produce "c.env.GITHUB_TOKEN = '...';" and "c.env.CHARTMETRIC_REFRESH_TOKEN = '...';" and ensure the final string is produced using the safe serialization/escape approach.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@src/sandboxes/setupOpenClaw.ts`:
- Around line 47-48: The template currently interpolates githubToken and
chartmetricRefreshToken directly into the shell string setting
c.env.GITHUB_TOKEN and c.env.CHARTMETRIC_REFRESH_TOKEN, which can break if
tokens contain quotes or special chars; update the code in
src/sandboxes/setupOpenClaw.ts to safely inject these values by escaping or
serializing them (e.g., replace the direct interpolation with
JSON.stringify(githubToken) and JSON.stringify(chartmetricRefreshToken) or
otherwise escape single quotes) or, preferably, pass them via the spawned
process environment instead of embedding in the shell string; target the exact
interpolations that produce "c.env.GITHUB_TOKEN = '...';" and
"c.env.CHARTMETRIC_REFRESH_TOKEN = '...';" and ensure the final string is
produced using the safe serialization/escape approach.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 355f7229-b4bc-4bc2-ae63-f17ec711093d
📒 Files selected for processing (2)
src/sandboxes/getSandboxEnv.tssrc/sandboxes/setupOpenClaw.ts
Implements Option A for credits: sandboxes now receive CHARTMETRIC_BASE_URL pointing to the api proxy (https://recoup-api.vercel.app/api/chartmetric) instead of the raw CHARTMETRIC_REFRESH_TOKEN. The proxy handles token exchange, credit deduction, and forwards requests to Chartmetric — keeping the key server-side only. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Tests were failing because the new CHARTMETRIC_BASE_URL env var was added to getSandboxEnv but the test assertions were not updated to expect it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated PR from coding agent.
Prompt: @U0AJM7X8FBR How can we give Recoup the ability to use a chartmetric API key in a sandbox without exposing the key?
Changes:
src/sandboxes/getSandboxEnv.ts— added optionalCHARTMETRIC_REFRESH_TOKENpass-through (same pattern asGITHUB_TOKEN). No-op if the env var is not set.src/sandboxes/setupOpenClaw.ts— added optionalCHARTMETRIC_REFRESH_TOKENinjection into openclaw.jsonenvblock, so the OpenClaw agent and all subprocess spawns inherit it.Summary by CodeRabbit