fix(keyconv): preserve verbatim keys for env/headers/defaultEnv (gh_token bug)

[vanducng]

Root cause: transformKeys recursed into every nested map, snake-casing the KEYS of fields that hold user data. camelToSnake("GH_TOKEN")="gh_token" → the master gh SecureCLI's token landed under gh_token, which the gh CLI never reads → exit 4: populate the GH_TOKEN environment variable. Same silent corruption affects MCP headers and workstation defaultEnv.

Fix: transformKeys no longer recurses into the value of passthrough fields (env, encryptedEnv/encrypted_env, headers, defaultEnv/default_env). The field key still converts; its value map's keys are verbatim. Adds TestKeyConv_PreservesPassthroughMapKeys. Prevents the whole class (any env/header credential).

Summary by CodeRabbit

• Bug Fixes
  • Fixed key transformation logic that was incorrectly modifying user-provided configuration values such as environment variable names, HTTP header names, and default environment configurations.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 82198c0b-d7cd-4e69-ae9d-9da4352ee6e4

📥 Commits

Reviewing files that changed from the base of the PR and between 88e17ef and 9c3e18e.

📒 Files selected for processing (2)

• internal/keyconv/keyconv.go
• internal/keyconv/keyconv_test.go

---

📝 Walkthrough

Walkthrough

keyconv.go gains a passthroughKey helper that identifies specific field names (env, encryptedEnv, headers, defaultEnv and variants). transformKeys is updated to skip recursive key transformation for the values of those fields, preserving user-defined keys verbatim. A regression test covers all passthrough field variants and a round-trip conversion.

Changes

Passthrough key preservation in keyconv

Layer / File(s)	Summary
passthroughKey helper and transformKeys guard internal/keyconv/keyconv.go	Adds passthroughKey to identify field names whose nested map values must not be recursively key-converted. Updates transformKeys to check both the original and camel/snake-converted key; if matched, the value is assigned directly without recursion.
Regression test for passthrough preservation internal/keyconv/keyconv_test.go	Adds TestKeyConv_PreservesPassthroughMapKeys covering env, encryptedEnv, headers, and defaultEnv fields; asserts top-level field keys convert normally while inner map keys (GH_TOKEN, Authorization, MY_SECRET) remain unchanged, and verifies the SnakeToCamel round-trip.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 A hop through the keys, a skip through the maps,
Some fields shout loudly: "Don't touch our caps!"
GH_TOKEN stays proud, Authorization stands tall,
The passthrough guard catches each one from a fall.
With tests to confirm every snake and each hump —
This bunny approves with a triumphant thump! 🌿

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/keyconv-preserve-env-header-keys

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}