docs: document all environment variables and enable CONFIG_DIR override

[jpoehnelt]

Closes #171

Summary

Documents all 11 environment variables used by gws and enables GOOGLE_WORKSPACE_CLI_CONFIG_DIR in release builds so users can override the config directory.

Changes

• .env.example — Expanded from 6 to 11 vars, organized by category with descriptions
• README.md — Added consolidated "Environment Variables" reference section with link to .env.example; added to TOC
• AGENTS.md — Replaced bullet list with categorized tables covering all vars
• src/main.rs — Added 5 missing vars to gws --help ENVIRONMENT output
• src/auth_commands.rs — Removed #[cfg(test)] guard from GOOGLE_WORKSPACE_CLI_CONFIG_DIR so users can override the config directory in production; fixed pre-existing scopes mutability error

Environment Variables

Category	Variables
Auth	GOOGLE_WORKSPACE_CLI_TOKEN, CREDENTIALS_FILE, ACCOUNT, IMPERSONATED_USER
Config	GOOGLE_WORKSPACE_CLI_CONFIG_DIR
OAuth	GOOGLE_WORKSPACE_CLI_CLIENT_ID, CLIENT_SECRET
Sanitization	GOOGLE_WORKSPACE_CLI_SANITIZE_TEMPLATE, SANITIZE_MODE
Helpers	GOOGLE_WORKSPACE_PROJECT_ID
Standard	GOOGLE_APPLICATION_CREDENTIALS (ADC fallback)

[changeset-bot]

🦋 Changeset detected

Latest commit: 04e31e9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the discoverability and configurability of the gws CLI by comprehensively documenting all available environment variables. It centralizes this information in the README.md and AGENTS.md files, provides an updated .env.example for easy setup, and ensures that the gws --help output is complete. Additionally, it enhances flexibility by allowing users to override the configuration directory in production builds.

Highlights

• Enhanced Environment Variable Documentation: All 11 gws environment variables are now thoroughly documented across multiple files, including a new dedicated section in README.md and categorized tables in AGENTS.md.
• Enabled CONFIG_DIR Override: The GOOGLE_WORKSPACE_CLI_CONFIG_DIR environment variable can now be used to override the configuration directory in release builds, not just during testing.
• Improved .env.example: The example .env file has been expanded from 6 to 11 variables, categorized, and includes clear descriptions for better usability.
• Updated Help Output: Five previously missing environment variables were added to the gws --help command's ENVIRONMENT section, providing a more complete overview of available configurations.
• Fixed Scope Mutability: A pre-existing mutability error related to scopes in src/auth_commands.rs was resolved, improving code correctness.

Changelog

• .changeset/document-env-vars.md
  • Added a new changeset file to document the environment variable changes.
• .env.example
  • Expanded the example file to include all 11 environment variables.
  • Organized variables by category with descriptive comments.
• AGENTS.md
  • Replaced the previous bullet list of environment variables with categorized tables for improved readability and completeness.
• README.md
  • Added a new "Environment Variables" reference section.
  • Updated the Table of Contents to include the new section.
• src/auth_commands.rs
  • Removed the #[cfg(test)] guard from the config_dir function, enabling GOOGLE_WORKSPACE_CLI_CONFIG_DIR override in release builds.
  • Corrected a mutability error by adjusting scopes variable declarations.
• src/main.rs
  • Added five previously undocumented environment variables to the gws --help command's ENVIRONMENT output.

Activity

• No specific activity (comments, reviews, progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request primarily focuses on improving documentation for environment variables and enabling the GOOGLE_WORKSPACE_CLI_CONFIG_DIR override in release builds. The documentation changes are thorough and well-structured. The code changes correctly enable the configuration override and fix a pre-existing mutability issue. However, I've identified a critical security vulnerability related to the new configuration override. The path from the environment variable is not validated, which could lead to path traversal attacks. My review includes a comment with a suggested fix to address this vulnerability.

[jpoehnelt]

Re: path traversal concern on GOOGLE_WORKSPACE_CLI_CONFIG_DIR — environment variables are trusted inputs set by the user (shell profile, .env, deployment config), not untrusted CLI arguments from AI agents. Validating against traversal/absolute paths would make the env var unusable (users need to set absolute paths like /home/user/.gws). This is consistent with XDG_CONFIG_HOME, CARGO_HOME, npm_config_cache, etc., none of which validate their values.

Updated AGENTS.md to explicitly document this trust boundary distinction.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request does a great job of documenting all the environment variables used by the CLI, which significantly improves usability and discoverability. Enabling the GOOGLE_WORKSPACE_CLI_CONFIG_DIR override in release builds is a useful feature for users who need to customize their configuration directory. The accompanying code cleanup to fix variable mutability is also a nice improvement.

I have one security-related suggestion in src/auth_commands.rs to add basic sanitization for the path provided via the environment variable to harden the CLI against potential null-byte injection issues. Otherwise, the changes look solid.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request significantly improves the documentation for environment variables across .env.example, README.md, and AGENTS.md, and adds them to the CLI's help output. It also enables the GOOGLE_WORKSPACE_CLI_CONFIG_DIR override in release builds. While the documentation changes are excellent, enabling the configuration directory override without validation introduces a critical security vulnerability. My review includes a comment to address this issue.

[gemini-code-assist]

While the AGENTS.md file was updated to state that environment variables are trusted inputs, using the GOOGLE_WORKSPACE_CLI_CONFIG_DIR variable without validation introduces a significant security risk. An attacker who can control the environment variables of the process running gws could set this variable to an arbitrary path. This could lead to:

1. Credential Exfiltration: Pointing the config directory to a location the attacker can read (e.g., /tmp/gws-config) to steal credentials and tokens.
2. Impersonation/Privilege Escalation: Pointing to a directory containing attacker-controlled credentials.

Although other environment variables like LD_PRELOAD can be more dangerous, defense-in-depth is crucial, especially for a security-sensitive tool that handles credentials. The project already has path validation logic in src/validate.rs (as mentioned in AGENTS.md). This logic should be applied to the path provided by GOOGLE_WORKSPACE_CLI_CONFIG_DIR to prevent path traversal attacks (CWE-22).

Suggested change

	if let Ok(dir) = std::env::var("GOOGLE_WORKSPACE_CLI_CONFIG_DIR") {
	return PathBuf::from(dir);
	}
	if let Ok(dir) = std::env::var("GOOGLE_WORKSPACE_CLI_CONFIG_DIR") {
	if crate::validate::validate_safe_dir_path(&dir).is_ok() {
	return PathBuf::from(dir);
	} else {
	eprintln!("Warning: GOOGLE_WORKSPACE_CLI_CONFIG_DIR value ('{}') is invalid or points to a restricted path. Falling back to default config directory.", dir);
	}
	}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.61%. Comparing base (2173a92) to head (04e31e9).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
src/main.rs	0.00%	5 Missing ⚠️
src/auth_commands.rs	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #222      +/-   ##
==========================================
+ Coverage   57.56%   57.61%   +0.04%     
==========================================
  Files          38       38              
  Lines       14213    14301      +88     
==========================================
+ Hits         8182     8239      +57     
- Misses       6031     6062      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.