Unify launch env resolution on the server.

[tarik02]

What Changed

Server now owns injection of T3CODE_* launch environment for terminals and provider sessions.

• Added LaunchEnv service (apps/server/src/launchEnv/) that builds authoritative env:
  • T3CODE_HOME
  • T3CODE_PROJECT_ROOT
  • T3CODE_PROJECT_ID (new)
  • T3CODE_THREAD_ID (new)
  • T3CODE_WORKTREE_PATH (when a worktree is active)
• Terminal manager resolves env on open, restart, and attach via resolveTerminalLaunchEnv.
• ProviderCommandReactor passes the same env into provider session starts; all four adapters merge it via mergeProviderSessionEnvironment.
• Inherited / client-supplied T3CODE_* keys are stripped before spawn so values cannot be spoofed.
• Clients (web + mobile) no longer synthesize T3CODE_*; they pass projectId + cwd/worktree context only.
• projectId is now required on TerminalOpenInput / TerminalRestartInput.
• Shared helper @t3tools/shared/launchEnv centralizes managed-key detection/stripping.

Closes #3003

Why

Make t3code provide T3CODE_PROJECT_ROOT / T3CODE_WORKTREE_PATH. Unified environment resolution between terminal and provider child processes. Made env variables resolution mostly server-side + added variable filtering (don't pass T3CODE_* from parent/custom vars)

UI Changes

No UI changes.

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes (N/A)
• I included a video for animation/interaction changes (N/A)

Note

Unify launch environment resolution for terminals and provider sessions on the server

• Introduces a LaunchEnv service that resolves T3CODE_* environment variables (project root, project ID, thread ID, worktree path) from project/thread context using ServerConfig.baseDir as T3CODE_HOME.
• Terminal open, restart, and attach inputs now require a projectId and have their launch env resolved server-side via resolveTerminalLaunchEnv before session start, replacing client-supplied T3CODE_* env vars.
• Provider session adapters (Claude, Codex, Cursor, OpenCode) now merge per-session env from ProviderCommandReactor with instance-level env via mergeProviderSessionEnvironment, stripping managed T3CODE_* keys from user-supplied overrides.
• isManagedRuntimeEnvKey and stripManagedRuntimeEnvKeys are extracted to @t3tools/shared/launchEnv as shared utilities; projectScriptRuntimeEnv is removed from @t3tools/shared/projectScripts.
• Web and mobile clients no longer construct or forward T3CODE_* env vars when opening terminals; projectId is now required in terminalOpen and terminalRestart API calls.
• Risk: TerminalOpenInput and TerminalRestartInput schema validation now requires projectId, making this a breaking contract change for any callers not yet updated.

^{Macroscope summarized 767954b. (Automatic summaries will resume when PR exits draft mode or review begins).}

---

Note

Medium Risk
Contract-breaking projectId on terminal open/restart and changed env injection paths affect all terminal/provider spawns; managed-key stripping is intentional but any external caller relying on client-set T3CODE_* will break.

Overview
Centralizes T3CODE_* launch environment on the server so terminals and provider child processes get the same authoritative context instead of clients building it locally.

A new LaunchEnv service merges T3CODE_HOME, project/thread/worktree fields (including T3CODE_PROJECT_ID and T3CODE_THREAD_ID), strips client-supplied T3CODE_* keys via @t3tools/shared/launchEnv, and is wired into the server runtime and integration tests.

Terminals: TerminalOpenInput / TerminalRestartInput now require projectId; open, restart, and attach resolve env through resolveTerminalLaunchEnv before spawn. Web/mobile stop sending synthesized T3CODE_* (only cwd/worktree and optional non-managed custom env).

Providers: ProviderCommandReactor resolves launch env for startSession; adapters merge per-session env with mergeProviderSessionEnvironment. projectScriptRuntimeEnv is removed from shared and clients.

^{Reviewed by Cursor Bugbot for commit 767954b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 990451b1-0636-4e53-ad0a-36c985752f34

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 767954b. Configure here.}

[cursor]

Open ignores thread project binding

Medium Severity

resolveTerminalOpenInput and resolveTerminalRestartInput build authoritative T3CODE_* env from client-supplied projectId only. They never load the thread and check that projectId matches the thread’s project. A caller can pass a different projectId while keeping another cwd/worktree, so spawned terminals get wrong project metadata even though managed keys in env are stripped.

Additional Locations (1)

• apps/server/src/terminal/resolveTerminalLaunchEnv.ts#L95-L110

 

^{Reviewed by Cursor Bugbot for commit 767954b. Configure here.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR centralizes environment resolution on the server, introducing new services and changing how terminal/provider sessions receive environment variables. The architectural scope plus an unresolved review comment about missing project binding validation warrants careful review.

^{You can customize Macroscope's approvability policy. Learn more.}