fix(envvar): expand only whole-value placeholders

Resolve env references only when a field's value is exactly ${VAR} or
$VAR. A value that merely contains a $ (a password, a regex
backreference, an unmatched brace) is now returned verbatim instead of
being passed through os.Expand.

This fixes two issues in secret fields (verificationToken, accessToken,
webhook secret, source token, CLI token):

- literal $ in a secret was reinterpreted as a variable reference,
  silently corrupting the secret when the embedded name matched a set
  env var, or failing startup when it did not.
- malformed placeholders (${UNCLOSED, ${}) were silently truncated to a
  partial string or an empty value instead of being preserved.

Author: claude

engine/pkg/config/envvar/envvar.go

@@ -1,9 +1,12 @@
-// Package envvar expands "${VAR}" and "$VAR" placeholders in selected config
-// fields using the process environment.
+// Package envvar expands a config field whose value is solely a "${VAR}" or
+// "$VAR" placeholder using the process environment. A value that merely
+// contains a "$" (a password, a regex backreference, an unmatched brace) is a
+// literal and is left unchanged.
 package envvar
 
 import (
 	"os"
+	"regexp"
 
 	"github.com/pkg/errors"
 )
@@ -14,35 +17,35 @@ type Field struct {
 	Ptr  *string
 }
 
-// ExpandStrict expands "${VAR}" and "$VAR" references in s. It returns an
-// error if any referenced variable is unset, so misconfigured tokens fail
-// loudly at startup instead of silently resolving to an empty string.
+// placeholderRE matches a value that consists solely of a single "${VAR}" or
+// "$VAR" reference, capturing the variable name. Anything else (including a
+// value that merely embeds a "$") is treated as a literal so secrets that
+// legitimately contain a "$" survive load without corruption.
+var placeholderRE = regexp.MustCompile(`^\$\{([A-Za-z_][A-Za-z0-9_]*)\}$|^\$([A-Za-z_][A-Za-z0-9_]*)$`)
+
+// ExpandStrict resolves s when it is exactly a single "${VAR}" or "$VAR"
+// placeholder, returning the referenced environment variable's value. It
+// returns an error if the referenced variable is unset, so a misconfigured
+// placeholder fails loudly at startup instead of silently resolving to an
+// empty string. Any other value, including one that merely contains a "$", is
+// returned unchanged.
 func ExpandStrict(s string) (string, error) {
-	if s == "" {
-		return "", nil
+	m := placeholderRE.FindStringSubmatch(s)
+	if m == nil {
+		return s, nil
 	}
 
-	var missing string
-
-	resolved := os.Expand(s, func(name string) string {
-		if missing != "" {
-			return ""
-		}
-
-		v, ok := os.LookupEnv(name)
-		if !ok {
-			missing = name
-			return ""
-		}
-
-		return v
-	})
+	name := m[1]
+	if name == "" {
+		name = m[2]
+	}
 
-	if missing != "" {
-		return "", errors.Errorf("environment variable %q is not set", missing)
+	v, ok := os.LookupEnv(name)
+	if !ok {
+		return "", errors.Errorf("environment variable %q is not set", name)
 	}
 
-	return resolved, nil
+	return v, nil
 }
 
 // ExpandFields applies ExpandStrict to each field and writes the resolved