Summary
Dogfood review found 72 environment-variable reads across 32 production files. Environment variables are used for CLI display behavior, config discovery, MCP/auth behavior, plugin trust, hooks, subprocess policy, update checks, logging, and indexing options. These should have consistent invalid-value diagnostics and secret/trust-boundary handling.
Evidence
Dogfood command:
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search --recipe dogfood-risk-patterns/environment-variable-parser --path src/ --exclude-tests --count-by file --limit 80
Top files:
QueryCommandRunner: 7ConsoleUi: 6IndexCommandRunner.Parse: 6CdidxConfigFile: 5GlobalToolLog: 5ProgramRunner: 5UpdateChecker: 3PostExtractionHooks: 3ActiveWorkspace, EnvironmentOptionParser, and several MCP/subprocess/plugin paths: 2 each or more.
Representative areas:
- display/color/ascii environment variables in CLI/UI code;
- config and active-workspace environment overrides;
- MCP tool filtering and authentication-related environment reads;
- workspace plugin trust and hook directory environment variables;
- subprocess environment copying;
- update checker and global log settings.
Audit goals
- Verify invalid boolean/integer/list values warn, fail closed, or are explicitly documented as ignored.
- Verify trust-boundary variables such as plugin/hook/auth settings have clear diagnostics and redaction.
- Verify secret-like values are not logged or echoed through status, doctor, audit logs, or issue-draft output.
- Centralize parsing where reasonable so new environment options inherit diagnostics.
Acceptance criteria
- Environment-variable reads are classified by domain: display, config, auth/secret, trust boundary, subprocess, update/logging, indexing/query behavior.
- Invalid values have consistent behavior and tests for at least representative domains.
- Secret-like variables are redacted in user-visible output.
- Documentation lists security-sensitive environment variables and their failure modes.
Summary
Dogfood review found 72 environment-variable reads across 32 production files. Environment variables are used for CLI display behavior, config discovery, MCP/auth behavior, plugin trust, hooks, subprocess policy, update checks, logging, and indexing options. These should have consistent invalid-value diagnostics and secret/trust-boundary handling.
Evidence
Dogfood command:
Top files:
QueryCommandRunner: 7ConsoleUi: 6IndexCommandRunner.Parse: 6CdidxConfigFile: 5GlobalToolLog: 5ProgramRunner: 5UpdateChecker: 3PostExtractionHooks: 3ActiveWorkspace,EnvironmentOptionParser, and several MCP/subprocess/plugin paths: 2 each or more.Representative areas:
Audit goals
Acceptance criteria