npm - @n8n-as-code/n8nac - Versions diffs - 2026.3.1 → 2026.3.2-next.3 - Mend

@n8n-as-code/n8nac 2026.3.1 → 2026.3.2-next.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@n8n-as-code/n8nac",
-  "version": "2026.3.1",
+  "version": "2026.3.2-next.3",
   "description": "OpenClaw plugin for n8n-as-code — create and manage n8n workflows from OpenClaw",
   "keywords": [
     "n8n",

package/src/child-env.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Build a minimal environment for child processes.
+ * Only passes the vars needed for npx/node to operate, deliberately excluding
+ * any sensitive credentials that the parent (agent host) may hold in its env
+ * (e.g. LLM API keys), preventing accidental credential forwarding.
+ */
+export function getChildEnv(): NodeJS.ProcessEnv {
+  const env: NodeJS.ProcessEnv = {};
+  // Matches var names that look like credentials anywhere in the name — these are never forwarded
+  // even if they match another allowlist prefix (e.g. NODE_AUTH_TOKEN, npm_config_*:_authToken,
+  // npm_config_authority is intentionally over-blocked since we prefer false-positives to leaks).
+  const secretPattern = /(?:auth|token|password|secret|apikey|api_key|_key)/i;
+  for (const key of Object.keys(process.env)) {
+    const upperKey = key.toUpperCase();
+    if (
+      // Basic system vars needed by node/npx (case-insensitive, including Windows-specific ones)
+      /^(PATH|HOME|USERPROFILE|HOMEDRIVE|HOMEPATH|TMPDIR|TMP|TEMP|LANG|LC_ALL|SHELL|TERM|TERM_PROGRAM|NODE_PATH|NODE_OPTIONS|SYSTEMROOT|COMSPEC|PATHEXT)$/.test(
+        upperKey,
+      ) ||
+      // npm execution/config vars required by npx — but NOT auth/token vars
+      // (e.g. excludes npm_config_//registry.npmjs.org/:_authToken)
+      (key.startsWith("npm_") && !secretPattern.test(key)) ||
+      // Specific safe NODE_* vars (deliberately NOT a prefix match to exclude NODE_AUTH_TOKEN)
+      /^NODE_(ENV|NO_WARNINGS|ICU_DATA)$/.test(upperKey) ||
+      // n8n-as-code specific vars
+      key.startsWith("N8N_AS_CODE_")
+    ) {
+      env[key] = process.env[key];
+    }
+  }
+  return env;
+}

package/src/cli.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { spawn } from "node:child_process";
 import type { ChildProcess, ChildProcessWithoutNullStreams } from "node:child_process";
 import * as p from "@clack/prompts";
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { getChildEnv } from "./child-env.js";
 import { isWorkspaceInitialized } from "./workspace.js";
 type CliProgram = Parameters<Parameters<OpenClawPluginApi["registerCli"]>[0]>[0]["program"];
@@ -24,14 +25,14 @@ function runN8nac(
   opts: {
     cwd: string;
     timeout: number;
-    env?: NodeJS.ProcessEnv;
+    stdinInput?: string;
     stdio?: "pipe" | "inherit";
   },
 ): Promise<RunResult> {
   return new Promise((resolve) => {
     const baseOptions = {
       cwd: opts.cwd,
-      env: { ...process.env, ...opts.env },
+      env: getChildEnv(),
     };
     const child: ChildProcess | ChildProcessWithoutNullStreams =
@@ -65,6 +66,11 @@ function runN8nac(
       });
     }
+    if (opts.stdinInput !== undefined && "stdin" in child && child.stdin) {
+      child.stdin.write(`${opts.stdinInput}\n`);
+      child.stdin.end();
+    }
     const timer = setTimeout(() => {
       timedOut = true;
       child.kill("SIGTERM");
@@ -154,10 +160,10 @@ export function registerN8nAcCli({ program, workspaceDir }: CliOpts): void {
       const authSpinner = p.spinner();
       authSpinner.start("Saving credentials…");
-      const authResult = await runN8nac(["init-auth", "--host", host], {
+      const authResult = await runN8nac(["init-auth", "--host", host, "--api-key-stdin"], {
         cwd: workspaceDir,
         timeout: 60_000,
-        env: { N8N_API_KEY: apiKey },
+        stdinInput: apiKey,
       });
       if (authResult.exitCode !== 0) {

package/src/tool.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { spawn } from "node:child_process";
 import { Type } from "@sinclair/typebox";
+import { getChildEnv } from "./child-env.js";
 import { isWorkspaceInitialized } from "./workspace.js";
 // ---------------------------------------------------------------------------
@@ -100,13 +101,13 @@ type RunResult = {
 function runNpx(
   args: string[],
   cwd: string,
-  env?: NodeJS.ProcessEnv,
+  stdinInput?: string,
 ): Promise<RunResult> {
   return new Promise((resolve) => {
     const child = spawn("npx", ["--yes", "n8nac", ...args], {
       cwd,
-      env: { ...process.env, ...env },
       stdio: "pipe",
+      env: getChildEnv(),
     });
     let stdout = "";
@@ -131,6 +132,11 @@ function runNpx(
       stderr += chunk.toString();
     });
+    if (stdinInput !== undefined) {
+      child.stdin.write(`${stdinInput}\n`);
+      child.stdin.end();
+    }
     const timer = setTimeout(() => {
       timedOut = true;
       child.kill("SIGTERM");
@@ -250,7 +256,7 @@ export function createN8nAcTool(opts: { workspaceDir: string }) {
         if (!host || !key) {
           return ok({ error: "n8nHost and n8nApiKey are required for init_auth" });
         }
-        const r = await runNpx(["init-auth", "--host", host], workspaceDir, { N8N_API_KEY: key });
+        const r = await runNpx(["init-auth", "--host", host, "--api-key-stdin"], workspaceDir, key);
         if (r.exitCode !== 0) {
           return ok({ error: r.stderr || r.stdout, exitCode: r.exitCode });
         }