A native-executable build bakes the jolt ctx, and env-reading libraries (config.core/load-env) snapshot the ENTIRE build environment into it — jpm marshals that into the binary. GitHub push protection caught real API tokens inside an example's build output this way. With JOLT_BAKE_ENV_ALLOWLIST set (comma-separated names — a project's build.sh exports it for the bake), System/getenv serves only the listed variables: single-name reads of unlisted vars return nil and the full snapshot is filtered. Unset — every normal runtime — reads stay live and unfiltered, so a baked binary that re-reads env at startup (config.core/ reload-env) sees the real runtime environment. Verified A/B on ring-app: a planted token appears in the unscrubbed binary (strings | grep: 1 hit) and not in the scrubbed one (0), which still serves. Direct janet.os/environ bridge calls remain unfiltered host access, as documented. |
||
|---|---|---|
| .. | ||
| bench | ||
| clojure-stdlib/clojure | ||
| integration | ||
| spec | ||
| support | ||
| unit | ||