[nongnu] elpa/aidermacs 680014bd8fb 2/3: Make a copy of process-environment to prevent leaking secrets set in hook

Sun, 17 Aug 2025 01:00:55 -0700 

branch: elpa/aidermacs
commit 680014bd8fb066cd22923a72f203f76a983baedc
Author: Yikai Zhao <yi...@z1k.dev>
Commit: Matthew Zeng <matthew...@gmail.com>

    Make a copy of process-environment to prevent leaking secrets set in hook
    
    before this change, the environment would be visible in all other
    processes emacs launches in the future
---
 README.md             |  2 +-
 aidermacs-backends.el | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index cda6da2c85e..bc32d1a69b0 100644
--- a/README.md
+++ b/README.md
@@ -199,7 +199,7 @@ Example usage to securely set an OpenAI API key from 
password-store:
             (setenv "OPENAI_API_KEY" (password-store-get 
"code/openai_api_key"))))
 ```
 
-This approach keeps sensitive information out of your dotfiles while still 
making it available to Aidermacs.
+The environment variable set in the hook would only be visible to aider 
process. This approach keeps sensitive information out of your dotfiles while 
still making it available to Aidermacs.
 
 ### Default Model Selection
 
diff --git a/aidermacs-backends.el b/aidermacs-backends.el
index 456fa40b2f3..ed8330b9b87 100644
--- a/aidermacs-backends.el
+++ b/aidermacs-backends.el
@@ -60,12 +60,14 @@ of using a comint process."
 PROGRAM is the aidermacs executable path.  ARGS are command line arguments.
 BUFFER-NAME is the name for the aidermacs buffer."
   (message "Running %s with %s" program args)
-  (run-hooks 'aidermacs-before-run-backend-hook)
-  (cond
-   ((eq aidermacs-backend 'vterm)
-    (aidermacs-run-vterm program args buffer-name))
-   (t
-    (aidermacs-run-comint program args buffer-name))))
+  ;; make a copy of process-environment, so that secrets set in the hook is 
only visible by aider
+  (let ((process-environment process-environment))
+    (run-hooks 'aidermacs-before-run-backend-hook)
+    (cond
+     ((eq aidermacs-backend 'vterm)
+      (aidermacs-run-vterm program args buffer-name))
+     (t
+      (aidermacs-run-comint program args buffer-name)))))
 
 (defun aidermacs--is-aidermacs-buffer-p (&optional buffer)
   "Check if BUFFER is any type of aidermacs buffer.

Reply via email to