feat(config): add env var substitution in config values

Support ${VAR_NAME} syntax in any config string value, substituted at config load time. Useful for referencing API keys and secrets from environment variables without hardcoding them in the config file. - Only uppercase env vars matched: [A-Z_][A-Z0-9_]* - Missing/empty env vars throw MissingEnvVarError with path context - Escape with $${VAR} to output literal ${VAR} - Works with $include (included files also get substitution) Closes #1009
2026-01-16 16:32:07 -05:00
parent d887027e95
commit a36735b913
5 changed files with 469 additions and 4 deletions
--- a/docs/environment.md
+++ b/docs/environment.md
@@ -53,6 +53,24 @@ Env var equivalents:
 - `CLAWDBOT_LOAD_SHELL_ENV=1`
 - `CLAWDBOT_SHELL_ENV_TIMEOUT_MS=15000`

+## Env var substitution in config
+
+You can reference env vars directly in config string values using `${VAR_NAME}` syntax:
+
+```json5
+{
+  models: {
+    providers: {
+      "vercel-gateway": {
+        apiKey: "${VERCEL_GATEWAY_API_KEY}"
+      }
+    }
+  }
+}
+```
+
+See [Configuration: Env var substitution](/gateway/configuration#env-var-substitution-in-config) for full details.
+
 ## Related

 - [Gateway configuration](/gateway/configuration)
--- a/docs/gateway/configuration.md
+++ b/docs/gateway/configuration.md
@@ -283,6 +283,48 @@ Env var equivalent:
 - `CLAWDBOT_LOAD_SHELL_ENV=1`
 - `CLAWDBOT_SHELL_ENV_TIMEOUT_MS=15000`

+### Env var substitution in config
+
+You can reference environment variables directly in any config string value using
+`${VAR_NAME}` syntax. Variables are substituted at config load time, before validation.
+
+```json5
+{
+  models: {
+    providers: {
+      "vercel-gateway": {
+        apiKey: "${VERCEL_GATEWAY_API_KEY}"
+      }
+    }
+  },
+  gateway: {
+    auth: {
+      token: "${CLAWDBOT_GATEWAY_TOKEN}"
+    }
+  }
+}
+```
+
+**Rules:**
+- Only uppercase env var names are matched: `[A-Z_][A-Z0-9_]*`
+- Missing or empty env vars throw an error at config load
+- Escape with `$${VAR}` to output a literal `${VAR}`
+- Works with `$include` (included files also get substitution)
+
+**Inline substitution:**
+
+```json5
+{
+  models: {
+    providers: {
+      custom: {
+        baseUrl: "${CUSTOM_API_BASE}/v1"  // → "https://api.example.com/v1"
+      }
+    }
+  }
+}
+```
+
 ### Auth storage (OAuth + API keys)

 Clawdbot stores **per-agent** auth profiles (OAuth + API keys) in: