Harden env deep-merge and prevent mutation leaks

- Skip deep-merge when env is an array (falls through to Zod validation)
- Return detached copy of env from getAll() to prevent accidental mutation
- Add tests for both cases

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

src/utils/__tests__/session-aware-tool-factory.test.ts

@@ -290,4 +290,33 @@ describe('createSessionAwareTool', () => {
     const parsed = JSON.parse(envContent.text);
     expect(parsed).toEqual({ API_KEY: 'abc123', DEBUG: 'true', VERBOSE: '0' });
   });
+
+  it('rejects array passed as env instead of deep-merging it', async () => {
+    const envSchema = z.object({
+      scheme: z.string(),
+      projectPath: z.string().optional(),
+      env: z.record(z.string(), z.string()).optional(),
+    });
+
+    const envHandler = createSessionAwareTool<z.infer<typeof envSchema>>({
+      internalSchema: envSchema,
+      logicFunction: async (params) => ({
+        content: [{ type: 'text', text: JSON.stringify(params.env) }],
+        isError: false,
+      }),
+      getExecutor: () => createMockExecutor({ success: true }),
+      requirements: [{ allOf: ['scheme'] }],
+    });
+
+    sessionStore.setDefaults({
+      scheme: 'App',
+      projectPath: '/a.xcodeproj',
+      env: { API_KEY: 'abc123' },
+    });
+
+    // Array should not be deep-merged; Zod validation should reject it
+    const result = await envHandler({ env: ['not', 'a', 'record'] as unknown });
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('Parameter validation failed');
+  });
 });

src/utils/__tests__/session-store.test.ts

@@ -94,4 +94,15 @@ describe('SessionStore', () => {
     expect(sessionStore.getActiveProfile()).toBeNull();
     expect(sessionStore.listProfiles()).toEqual([]);
   });
+
+  it('getAll returns a detached copy of env so mutations do not affect stored defaults', () => {
+    sessionStore.setDefaults({ env: { API_KEY: 'secret' } });
+
+    const copy = sessionStore.getAll();
+    copy.env!.API_KEY = 'tampered';
+    copy.env!.EXTRA = 'injected';
+
+    const stored = sessionStore.getAll();
+    expect(stored.env).toEqual({ API_KEY: 'secret' });
+  });
 });

src/utils/session-store.ts

@@ -114,10 +114,12 @@ class SessionStore {
   }
 
   getAllForProfile(profile: string | null): SessionDefaults {
-    if (profile === null) {
-      return { ...this.globalDefaults };
+    const defaults = profile === null ? this.globalDefaults : (this.profiles[profile] ?? {});
+    const copy = { ...defaults };
+    if (copy.env) {
+      copy.env = { ...copy.env };
     }
-    return { ...(this.profiles[profile] ?? {}) };
+    return copy;
   }
 
   listProfiles(): string[] {

src/utils/typed-tool-factory.ts

@@ -168,7 +168,12 @@ function createSessionAwareHandler<TParams, TContext>(opts: {
 
       // Deep-merge env: combine session-default env vars with user-provided ones
       // (user-provided keys take precedence on conflict)
-      if (sessionDefaults.env && typeof sanitizedArgs.env === 'object' && sanitizedArgs.env) {
+      if (
+        sessionDefaults.env &&
+        typeof sanitizedArgs.env === 'object' &&
+        sanitizedArgs.env &&
+        !Array.isArray(sanitizedArgs.env)
+      ) {
         merged.env = { ...sessionDefaults.env, ...(sanitizedArgs.env as Record<string, string>) };
       }