Summary

Describe this PR in 2-5 bullets:

• Problem: managed per-project env vars were only injected into Claude workflow AI nodes, while Codex workflow nodes, bash/script DAG nodes, and direct orchestrator chat silently dropped them.
• Why it matters: project-scoped secrets and config behaved inconsistently across execution surfaces, which broke the expectation that env configured once would work everywhere in project context.
• What changed: threaded merged env vars into bash/script subprocess execution, added DAG capability warnings for env injection, made Codex construct per-call SDK instances when env is present, and forwarded codebase-scoped env vars through direct orchestrator chat.
• What did not change (scope boundary): this does not make direct chat run in repo cwd; it only makes direct chat env-consistent when a conversation is codebase-scoped.

UX Journey

Before

User                   Archon                       Execution surface
────                   ──────                       ─────────────────
sets project env ───▶  stores repo/db env
runs Claude node ───▶  merges managed env ───────▶ Claude sees env
runs Codex node  ───▶  drops managed env  ───────▶ Codex misses env
runs bash/script ───▶  drops managed env  ───────▶ subprocess misses env
opens direct chat ─▶   drops managed env  ───────▶ provider misses env

After

User                   Archon                               Execution surface
────                   ──────                               ─────────────────
sets project env ───▶  stores repo/db env
runs Claude node ───▶  merges managed env ───────────────▶ Claude sees env
runs Codex node  ───▶  [builds per-call Codex with env] ─▶ Codex sees env
runs bash/script ───▶  [passes env to subprocess] ───────▶ subprocess sees env
opens direct chat ─▶   [merges repo+DB env in request] ──▶ provider sees env

Architecture Diagram

Before

WorkflowConfig/envVars ----> dag-executor ----> Claude provider
                                 |
                                 +----> Codex provider (no managed env path)
                                 +----> bash/script execFileAsync (no env path)

orchestrator-agent ----> provider requestOptions (assistantConfig only)
exec.ts ----> execFileAsync wrapper (no env option exposed)

After

WorkflowConfig/envVars ----> [~] dag-executor ===> [~] Codex provider
                                 |                     |
                                 |                     +===> per-call Codex(env)
                                 +===> [~] exec.ts/execFileAsync(env)
                                 +===> bash/script subprocesses

[~] orchestrator-agent ===> provider requestOptions(assistantConfig + env)

Connection inventory (list every module-to-module edge, mark changes):

Label Snapshot

• Risk: risk: medium
• Size: size: M
• Scope: core|workflows|git|tests
• Module: multi:managed-execution-env

Change Metadata

• Change type: feature
• Primary scope: multi

Linked Issue

• Closes feat: managed execution env as a first-class, execution-consistent feature #1161
• Related #
• Depends on # (if stacked)
• Supersedes # (if replacing older PR)

Validation Evidence (required)

Commands and result summary:

bun run type-check
bun test packages/providers/src/codex/provider.test.ts \
  packages/workflows/src/dag-executor.test.ts \
  packages/core/src/orchestrator/orchestrator-agent.test.ts

• Evidence provided (test/log/trace/screenshot): full workspace type-check passed; targeted provider/workflow/orchestrator regression tests passed.
• If any command is intentionally skipped, explain why: full bun run lint, bun run format:check, and full bun run test were not rerun manually; staged-file eslint/prettier ran successfully in the commit hook.

Security Impact (required)

• New permissions/capabilities? (Yes)
• New external network calls? (No)
• Secrets/tokens handling changed? (Yes)
• File system access scope changed? (No)
• If any Yes, describe risk and mitigation: managed env injection is intentionally expanded to additional execution surfaces. Risk is broader secret availability inside project-context executions; mitigation is explicit env merging only for configured project env, no new env sources, retained process cleanup, and capability/test coverage for each path.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Database migration needed? (No)
• If yes, exact upgrade steps:

Human Verification (required)

What was personally validated beyond CI:

• Verified scenarios: workflow env passed to Claude request options, bash nodes, script nodes, Codex per-call construction, and orchestrator direct chat env merge.
• Edge cases checked: empty env does not inject, Codex env path strips undefined process.env values to satisfy SDK typing, provider capability warnings fire for env injection.
• What was not verified: direct orchestrator chat still does not run in repo cwd; this PR does not change that behavior.

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: workflow DAG execution, Codex provider lifecycle, direct orchestrator chat, subprocess execution wrapper, related tests.
• Potential unintended effects: Codex requests with env now bypass the singleton and construct fresh SDK instances; subprocess env composition now explicitly includes managed env on bash/script nodes.
• Guardrails/monitoring for early detection: targeted regression tests, type-check coverage, and DAG capability warnings when env injection is requested on unsupported providers.

Rollback Plan (required)

• Fast rollback command/path: revert commit 2b8d4282 or revert this PR.
• Feature flags or config toggles (if any): none.
• Observable failure symptoms: managed env missing in Codex/bash/script/direct-chat project flows, or unexpected provider/subprocess failures when env is configured.

Risks and Mitigations

List real risks in this PR (or write None).

• Risk: per-call Codex instantiation could change performance or lifecycle behavior for env-configured requests.
  • Mitigation: singleton path remains unchanged when no env is requested; targeted tests cover the env-specific constructor path.
• Risk: expanded env injection increases secret exposure to more execution surfaces.
  • Mitigation: only project-scoped managed env is injected, merges remain explicit, and no new implicit env-loading behavior was introduced.
• Risk: users may still expect direct chat to run fully inside the attached repo.
  • Mitigation: scope remains env consistency only; cwd behavior is unchanged and should be handled in a follow-up if desired.

Summary by CodeRabbit

Release Notes

• New Features

  • Environment variables configured at the codebase level can now be injected into Codex provider execution and bash/script subprocess nodes, enabling consistent secret and configuration management across more execution surfaces.

• Documentation

  • Updated documentation to reflect the expanded scope of environment variable injection across execution surfaces.