Source: vercel/vercel#14371
Pain
echo "$SECRET" | vercel env add CRON_SECRET production silently stores the value with a trailing \n. Vercel's build-time validator only catches this for HTTP-header keys (e.g. CRON_SECRET) — silent corruption for everything else (HMAC keys, tokens, etc.). Comment 2026-04-17 confirms LLM agents (Claude Code's official Vercel plugin v0.40.0) prescribe this exact broken pattern, so every agent-driven user hits it.
Our solution
We already strip on env add stdin. Extend it:
Also strip --value flag input (not just stdin) — currently only piped stdin is sanitized.
Print a visible notice when stripping occurs: ✂️ avercel: stripped trailing whitespace from (so users learn, not just silently fixed).
env check already audits — make sure it covers ALL keys, not just header-validated ones, and emit fix command (avercel env fix ).
Add avercel env fix [target] — pulls current value, strips, re-adds. One-shot remediation.
DoD
[ ] --value input is sanitized identically to stdin
[ ] Visible notice on strip
[ ] env check flags trailing whitespace on all keys
[ ] env fix command implemented
[ ] Tests for: piped echo, --value with trailing space, multi-target re-add
Migrated from NEBULA-91 | Parent: NEBULA-18 | Original status: To Do
Source: vercel/vercel#14371
Pain
echo "$SECRET" | vercel env add CRON_SECRET production silently stores the value with a trailing \n. Vercel's build-time validator only catches this for HTTP-header keys (e.g. CRON_SECRET) — silent corruption for everything else (HMAC keys, tokens, etc.). Comment 2026-04-17 confirms LLM agents (Claude Code's official Vercel plugin v0.40.0) prescribe this exact broken pattern, so every agent-driven user hits it.
Our solution
We already strip on env add stdin. Extend it:
Also strip --value flag input (not just stdin) — currently only piped stdin is sanitized.
Print a visible notice when stripping occurs: ✂️ avercel: stripped trailing whitespace from (so users learn, not just silently fixed).
env check already audits — make sure it covers ALL keys, not just header-validated ones, and emit fix command (avercel env fix ).
Add avercel env fix [target] — pulls current value, strips, re-adds. One-shot remediation.
DoD
[ ] --value input is sanitized identically to stdin
[ ] Visible notice on strip
[ ] env check flags trailing whitespace on all keys
[ ] env fix command implemented
[ ] Tests for: piped echo, --value with trailing space, multi-target re-add
Migrated from NEBULA-91 | Parent: NEBULA-18 | Original status: To Do