fix: add size-based filtering to --env-all to prevent E2BIG

[lpcox]

Summary

Adds size-based filtering to --env-all passthrough to prevent E2BIG (Argument list too long) kernel errors when the runner environment is too large.

Problem

On GitHub Actions runners, --env-all forwards the full environment (~1.5–2 MB of GITHUB_*, tool-cache, matrix vars, etc.) into the container. Combined with large command arguments (e.g., inlined prompts via --prompt \"$(cat ...)\"), this exceeds the Linux ARG_MAX limit (~2 MB for argv + envp), causing:

/bin/bash: line 1: /usr/local/bin/node: Argument list too long

Changes

src/docker-manager.ts

Per-variable size cap (MAX_ENV_VALUE_SIZE = 64KB):

• Variables with values exceeding 64 KB are skipped from --env-all passthrough
• Warning lists all skipped variables with their sizes
• Users can still explicitly pass large values via --env VAR=\"\$VAR\"

Total environment size warning (ENV_SIZE_WARNING_THRESHOLD = 1.5MB):

• After all env construction (env-all, env-file, env flags), checks total size
• Warns when approaching ARG_MAX, suggesting --exclude-env

Tests (2 new)

• Oversized var (65KB) correctly skipped from passthrough
• Normal-sized var correctly included in passthrough

Design Decisions

• 64KB threshold is generous — most useful env vars are < 1KB; this only catches truly pathological values
• Warning, not error — avoids breaking existing workflows; the actual E2BIG failure depends on argv size too
• No new CLI flag — sensible defaults first; if users need to override, they can use --env VAR explicitly
• AWF-side mitigation only — the prompt-side fix (using --prompt-file instead of shell expansion) is tracked upstream in gh-aw

Closes #1965

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.18%	85.28%	📈 +0.10%
Statements	85.08%	85.18%	📈 +0.10%
Functions	87.85%	87.88%	📈 +0.03%
Branches	77.82%	77.88%	📈 +0.06%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.3% → 86.6% (+0.36%)	85.9% → 86.2% (+0.35%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds guardrails around --env-all passthrough to reduce the likelihood of Linux E2BIG (ARG_MAX) failures when large GitHub Actions runner environments are combined with large command arguments.

Changes:

• Skip individual process.env variables whose values exceed a fixed per-variable size threshold during --env-all passthrough, emitting warnings listing what was skipped.
• Emit a warning when the constructed container environment (after --env-all, --env-file, and --env) exceeds a total-size warning threshold.
• Add unit tests covering “oversized var skipped” and “normal var included” behaviors.

Show a summary per file

File	Description
src/docker-manager.ts	Adds per-variable filtering and overall env-size warning to reduce ARG_MAX/E2BIG risk when --env-all is used.
src/docker-manager.test.ts	Adds tests validating that oversized env vars are skipped and normal-sized ones still pass through under --env-all.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

src/docker-manager.ts:946

• The total environment size warning is described in bytes, but the calculation uses k.length / v.length (UTF-16 code units). This can significantly undercount actual envp size and reduce the usefulness of the ARG_MAX warning. Consider switching to Buffer.byteLength for both key and value and keeping the + 2 only for the literal = and NUL terminator bytes.

    const totalEnvBytes = Object.entries(environment)
      .reduce((sum, [k, v]) => sum + k.length + (v?.length ?? 0) + 2, 0); // +2 for '=' and null
    if (totalEnvBytes > ENV_SIZE_WARNING_THRESHOLD) {
      logger.warn(
        `⚠️  Total container environment size is ${(totalEnvBytes / 1024).toFixed(0)} KB — ` +
        'may cause E2BIG (Argument list too long) errors when combined with large command arguments'
      );
      logger.warn('   Consider using --exclude-env to remove unnecessary variables');
    }

• Files reviewed: 2/2 changed files
• Comments generated: 1

[github-actions]

Smoke Test Results

✅ GitHub MCP: feat: add upstream corporate proxy support (#1976), optimize(secret-digger-claude): default threat detection to Haiku (#1974)
✅ Playwright: GitHub page title verified
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-24424029719.txt created
✅ Bash: File read back successfully

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test Results

Test	Status
GitHub MCP (github-list_pull_requests)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read (smoke-test-copilot-24424029728.txt)	✅

PR: fix: add size-based filtering to --env-all to prevent E2BIG
Author: @lpcox | Assignees: none

Overall: PASS ✅

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all versions matched.

Python and Node.js versions differ between the host and chroot environment. Go versions match. The chroot appears to be running older versions of Python (3.12.3 vs 3.12.13) and Node.js (v20.20.2 vs v24.14.1).

Tested by Smoke Chroot

[github-actions]

🔮 The ancient spirits stir at the firewall gate.
The smoke rites were cast, but the discussion scrying channel was sealed in this realm.
The oracle leaves this sigil on PR #1978 as proof the watcher passed.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Service	Check	Result
Redis	PING → host.docker.internal:6379	✅ PONG
PostgreSQL	pg_isready → host.docker.internal:5432	✅ accepting connections
PostgreSQL	SELECT 1 on smoketest db as postgres	✅ returned 1

Note: redis-cli was not installed, so Redis was tested via raw TCP using the Redis wire protocol (netcat), which returned +PONG.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1978 · ● 740.2K · ◷