server/coder: working-tree backend changes (pre-existing)

Checkpoint of in-progress backend work present in the tree, not authored this session: auto_name, inference tool-phase/turn, secret_guard, provider-registry, plus a new agent-allowlist test (7 tests, passing). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 03:12:16 +00:00
parent 990a615b87
commit 547fd70650
6 changed files with 158 additions and 23 deletions
--- a/apps/server/src/services/secret_guard.ts
+++ b/apps/server/src/services/secret_guard.ts
@@ -163,6 +163,13 @@ const COMPILED: ReadonlyArray<CompiledPattern> = DEFAULT_SECURITY_IGNORE_FILETYP
 // Returns true when `relPath` matches a known-secret pattern. Case-insensitive
 // (regex 'i' flag). Always normalize path separators to `/` so Windows-origin
 // paths match the same patterns. Empty or root-only paths return false.
+const SAFE_PATTERNS: ReadonlySet<string> = new Set([
+  '.env.example',
+  '.env.sample',
+  '.env.template',
+  '.env.defaults',
+]);
+
 export function isSecretPath(relPath: string): boolean {
  if (!relPath) return false;
  const normalized = relPath.replace(/\\/g, '/');
@@ -170,6 +177,8 @@ export function isSecretPath(relPath: string): boolean {
  if (segments.length === 0) return false;
  const base = segments[segments.length - 1]!;

+  if (SAFE_PATTERNS.has(base.toLowerCase())) return false;
+
  for (const compiled of COMPILED) {
    if (compiled.mode === 'basename') {
      if (compiled.regex.test(base)) return true;