docs: sync runtime env and security documentation

2026-02-23 16:20:28 -05:00
parent c65b9ed007
commit 20e944f7d4
4 changed files with 29 additions and 6 deletions
--- a/.env.example
+++ b/.env.example
@@ -6,6 +6,7 @@ CODEX_SKIP_GIT_CHECK=true
 MCP_CONFIG_PATH=./mcp.config.json

 # Anthropic Claude Agent SDK
+# CLAUDE_CODE_OAUTH_TOKEN takes precedence over ANTHROPIC_API_KEY when both are set.
 CLAUDE_CODE_OAUTH_TOKEN=
 ANTHROPIC_API_KEY=
 CLAUDE_MODEL=
@@ -34,6 +35,7 @@ AGENT_PORT_LOCK_DIR=.ai_ops/locks/ports
 AGENT_DISCOVERY_FILE_RELATIVE_PATH=.agent-context/resources.json

 # Security middleware
+# AGENT_SECURITY_VIOLATION_MODE: hard_abort | validation_fail
 AGENT_SECURITY_VIOLATION_MODE=hard_abort
 AGENT_SECURITY_ALLOWED_BINARIES=git,npm,node,cat,ls,pwd,echo,bash,sh
 AGENT_SECURITY_COMMAND_TIMEOUT_MS=120000
@@ -42,3 +44,7 @@ AGENT_SECURITY_ENV_INHERIT=PATH,HOME,TMPDIR,TMP,TEMP,LANG,LC_ALL
 AGENT_SECURITY_ENV_SCRUB=
 AGENT_SECURITY_DROP_UID=
 AGENT_SECURITY_DROP_GID=
+
+# Runtime-injected (do not set manually):
+# AGENT_REPO_ROOT, AGENT_WORKTREE_PATH, AGENT_WORKTREE_BASE_REF,
+# AGENT_PORT_RANGE_START, AGENT_PORT_RANGE_END, AGENT_PORT_PRIMARY, AGENT_DISCOVERY_FILE