fix(plugins): sanitize env before spawning git so /plugin marketplace add works (#751)

Git 2.30+ refuses to start when any environment value contains a NUL,
CR, or LF character ("Unsafe environment: control characters are not
allowed in values"). User shells frequently leak such values — a
copy-pasted API key with a trailing newline, a terminal-set variable
with embedded escape sequences — which made every /plugin marketplace
add and /plugin install fail with that error before git even ran.

Add a small shared helper that builds the env passed to git child
processes and drops keys whose name or value contains a control
character. The legacy GIT_NO_PROMPT_ENV overrides (terminal prompt
disabled, askpass cleared) move into the same helper. Apply it to
every git invocation in marketplaceManager.ts (5 sites: gitPull,
gitClone, sparse-checkout, post-sparse checkout, reconcileSparseCheckout)
and pluginLoader.ts (8 sites: clone, fetch, checkout in both gitClone
and installFromGitSubdir).

A debug-level warning is logged once per process listing the dropped
key NAMES (not values) so the user can clean them up in their shell.

- src/utils/plugins/gitEnv.ts (new): sanitizeEnvForGit + buildGitChildEnv
- src/utils/plugins/gitEnv.test.ts (new): 10 unit tests covering CR/LF/NUL
  in values, control char in key name, undefined values, defaults,
  extras override
- src/utils/plugins/marketplaceManager.ts: replace 5 inline env spreads
  with buildGitChildEnv()
- src/utils/plugins/pluginLoader.ts: pass env: buildGitChildEnv() to 8
  git exec sites that previously inherited process.env unfiltered

Verified locally on Linux: before fix, git --version with a leaked
control-char env value fails with "Unsafe environment"; after fix it
runs cleanly. Live marketplaceManager.gitClone against a real GitHub
repo with the same leaked env succeeds and the repo is materialized
on disk.

bun.lock

@@ -28,7 +28,6 @@
         "@opentelemetry/sdk-trace-base": "2.6.1",
         "@opentelemetry/sdk-trace-node": "2.6.1",
         "@opentelemetry/semantic-conventions": "1.40.0",
-        "@vscode/ripgrep": "^1.17.1",
         "ajv": "8.18.0",
         "auto-bind": "5.0.1",
         "axios": "1.15.0",
@@ -462,8 +461,6 @@
 
     "@types/react": ["@types/react@19.2.14", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w=="],
 
-    "@vscode/ripgrep": ["@vscode/ripgrep@1.17.1", "", { "dependencies": { "https-proxy-agent": "^7.0.2", "proxy-from-env": "^1.1.0", "yauzl": "^2.9.2" } }, "sha512-xTs7DGyAO3IsJYOCTBP8LnTvPiYVKEuyv8s0xyJDBXfs8rhBfqnZPvb6xDT+RnwWzcXqW27xLS/aGrkjX7lNWw=="],
-
     "accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="],
 
     "agent-base": ["agent-base@7.1.4", "", {}, "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ=="],
@@ -494,8 +491,6 @@
 
     "bowser": ["bowser@2.14.1", "", {}, "sha512-tzPjzCxygAKWFOJP011oxFHs57HzIhOEracIgAePE4pqB3LikALKnSzUyU4MGs9/iCEUuHlAJTjTc5M+u7YEGg=="],
 
-    "buffer-crc32": ["buffer-crc32@0.2.13", "", {}, "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ=="],
-
     "buffer-equal-constant-time": ["buffer-equal-constant-time@1.0.1", "", {}, "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="],
 
     "bun-types": ["bun-types@1.3.11", "", { "dependencies": { "@types/node": "*" } }, "sha512-1KGPpoxQWl9f6wcZh57LvrPIInQMn2TQ7jsgxqpRzg+l0QPOFvJVH7HmvHo/AiPgwXy+/Thf6Ov3EdVn1vOabg=="],
@@ -614,8 +609,6 @@
 
     "fast-xml-parser": ["fast-xml-parser@5.5.8", "", { "dependencies": { "fast-xml-builder": "^1.1.4", "path-expression-matcher": "^1.2.0", "strnum": "^2.2.0" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-Z7Fh2nVQSb2d+poDViM063ix2ZGt9jmY1nWhPfHBOK2Hgnb/OW3P4Et3P/81SEej0J7QbWtJqxO05h8QYfK7LQ=="],
 
-    "fd-slicer": ["fd-slicer@1.1.0", "", { "dependencies": { "pend": "~1.2.0" } }, "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g=="],
-
     "fflate": ["fflate@0.8.2", "", {}, "sha512-cPJU47OaAoCbg0pBvzsgpTPhmhqI5eJjh/JIu8tPj5q+T7iLvW/JAYUqmE7KOB4R1ZyEhzBaIQpQpardBF5z8A=="],
 
     "figures": ["figures@6.1.0", "", { "dependencies": { "is-unicode-supported": "^2.0.0" } }, "sha512-d+l3qxjSesT4V7v2fh+QnmFnUWv9lSpjarhShNTgBOfA0ttejbQUAlHLitbjkoRiDulW0OPoQPYIGhIC8ohejg=="],
@@ -794,8 +787,6 @@
 
     "path-to-regexp": ["path-to-regexp@8.4.1", "", {}, "sha512-fvU78fIjZ+SBM9YwCknCvKOUKkLVqtWDVctl0s7xIqfmfb38t2TT4ZU2gHm+Z8xGwgW+QWEU3oQSAzIbo89Ggw=="],
 
-    "pend": ["pend@1.2.0", "", {}, "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg=="],
-
     "picomatch": ["picomatch@4.0.4", "", {}, "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A=="],
 
     "pkce-challenge": ["pkce-challenge@5.0.1", "", {}, "sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ=="],
@@ -810,7 +801,7 @@
 
     "proxy-addr": ["proxy-addr@2.0.7", "", { "dependencies": { "forwarded": "0.2.0", "ipaddr.js": "1.9.1" } }, "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg=="],
 
-    "proxy-from-env": ["proxy-from-env@1.1.0", "", {}, "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="],
+    "proxy-from-env": ["proxy-from-env@2.1.0", "", {}, "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA=="],
 
     "qrcode": ["qrcode@1.5.4", "", { "dependencies": { "dijkstrajs": "^1.0.1", "pngjs": "^5.0.0", "yargs": "^15.3.1" }, "bin": { "qrcode": "bin/qrcode" } }, "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg=="],
 
@@ -962,8 +953,6 @@
 
     "yargs-parser": ["yargs-parser@21.1.1", "", {}, "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw=="],
 
-    "yauzl": ["yauzl@2.10.0", "", { "dependencies": { "buffer-crc32": "~0.2.3", "fd-slicer": "~1.1.0" } }, "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g=="],
-
     "yoctocolors": ["yoctocolors@2.1.2", "", {}, "sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug=="],
 
     "zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
@@ -1380,8 +1369,6 @@
 
     "@smithy/uuid/tslib": ["tslib@2.8.1", "", {}, "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="],
 
-    "axios/proxy-from-env": ["proxy-from-env@2.1.0", "", {}, "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA=="],
-
     "cli-highlight/chalk": ["chalk@4.1.2", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA=="],
 
     "cli-highlight/yargs": ["yargs@16.2.0", "", { "dependencies": { "cliui": "^7.0.2", "escalade": "^3.1.1", "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", "string-width": "^4.2.0", "y18n": "^5.0.5", "yargs-parser": "^20.2.2" } }, "sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw=="],
@@ -1442,8 +1429,6 @@
 
     "@aws-sdk/nested-clients/@smithy/util-base64/@smithy/util-buffer-from": ["@smithy/util-buffer-from@4.2.2", "", { "dependencies": { "@smithy/is-array-buffer": "^4.2.2", "tslib": "^2.6.2" } }, "sha512-FDXD7cvUoFWwN6vtQfEta540Y/YBe5JneK3SoZg9bThSoOAC/eGeYEua6RkBgKjGa/sz6Y+DuBZj3+YEY21y4Q=="],
 
-    "@mendable/firecrawl-js/axios/proxy-from-env": ["proxy-from-env@2.1.0", "", {}, "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA=="],
-
     "@opentelemetry/exporter-trace-otlp-grpc/@opentelemetry/core/@opentelemetry/semantic-conventions": ["@opentelemetry/semantic-conventions@1.28.0", "", {}, "sha512-lp4qAiMTD4sNWW4DbKLBkfiMZ4jbAboJIGOQr5DvciMRI494OapieI9qiODpOt0XBr1LjIDy1xAGAnVs5supTA=="],
 
     "@opentelemetry/exporter-trace-otlp-grpc/@opentelemetry/otlp-transformer/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.57.2", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-uIX52NnTM0iBh84MShlpouI7UKqkZ7MrUszTmaypHBu4r7NofznSnQRfJ+uUeDtQDj6w8eFGg5KBLDAwAPz1+A=="],
@@ -1524,8 +1509,6 @@
 
     "cliui/wrap-ansi/ansi-styles": ["ansi-styles@4.3.0", "", { "dependencies": { "color-convert": "^2.0.1" } }, "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg=="],
 
-    "firecrawl/axios/proxy-from-env": ["proxy-from-env@2.1.0", "", {}, "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA=="],
-
     "form-data/mime-types/mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="],
 
     "qrcode/yargs/cliui": ["cliui@6.0.0", "", { "dependencies": { "string-width": "^4.2.0", "strip-ansi": "^6.0.0", "wrap-ansi": "^6.2.0" } }, "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ=="],

package.json

@@ -74,7 +74,6 @@
     "@opentelemetry/sdk-trace-base": "2.6.1",
     "@opentelemetry/sdk-trace-node": "2.6.1",
     "@opentelemetry/semantic-conventions": "1.40.0",
-    "@vscode/ripgrep": "^1.17.1",
     "ajv": "8.18.0",
     "auto-bind": "5.0.1",
     "axios": "1.15.0",

scripts/build.ts

@@ -472,11 +472,6 @@ ${exports}
     '@aws-sdk/credential-providers',
     '@azure/identity',
     'google-auth-library',
-    // @vscode/ripgrep ships a platform-specific binary alongside its
-    // index.js and resolves the path via __dirname at runtime. Bundling
-    // would freeze the build host's absolute path into dist/cli.mjs, so we
-    // keep it external and rely on the npm package being installed.
-    '@vscode/ripgrep',
   ],
 })
 

src/utils/plugins/gitEnv.test.ts

@@ -0,0 +1,104 @@
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test'
+
+import {
+  __resetGitEnvWarningForTesting,
+  buildGitChildEnv,
+  sanitizeEnvForGit,
+} from './gitEnv.js'
+
+describe('sanitizeEnvForGit', () => {
+  test('drops values containing LF', () => {
+    const result = sanitizeEnvForGit({
+      GOOD: 'value',
+      BAD_NEWLINE: 'line1\nline2',
+    })
+    expect(result.env).toEqual({ GOOD: 'value' })
+    expect(result.dropped).toEqual(['BAD_NEWLINE'])
+  })
+
+  test('drops values containing CR', () => {
+    const result = sanitizeEnvForGit({
+      GOOD: 'value',
+      BAD_CR: 'value\r',
+    })
+    expect(result.dropped).toEqual(['BAD_CR'])
+  })
+
+  test('drops values containing NUL', () => {
+    const result = sanitizeEnvForGit({
+      GOOD: 'value',
+      BAD_NUL: 'a\0b',
+    })
+    expect(result.dropped).toEqual(['BAD_NUL'])
+  })
+
+  test('drops keys whose name itself contains a control character', () => {
+    const result = sanitizeEnvForGit({
+      'BAD\nKEY': 'safe-value',
+      GOOD: 'value',
+    })
+    expect(result.env).toEqual({ GOOD: 'value' })
+    expect(result.dropped).toEqual(['BAD\nKEY'])
+  })
+
+  test('skips entries explicitly set to undefined without listing them as dropped', () => {
+    const result = sanitizeEnvForGit({
+      GOOD: 'value',
+      MAYBE: undefined,
+    })
+    expect(result.env).toEqual({ GOOD: 'value' })
+    expect(result.dropped).toEqual([])
+  })
+
+  test('returns input unchanged when nothing is unsafe', () => {
+    const env = { PATH: '/usr/bin:/bin', HOME: '/home/user', GIT_TERMINAL_PROMPT: '0' }
+    const result = sanitizeEnvForGit(env)
+    expect(result.env).toEqual(env)
+    expect(result.dropped).toEqual([])
+  })
+})
+
+describe('buildGitChildEnv', () => {
+  const ORIGINAL_BAD_KEY = 'OPENCLAUDE_TEST_BAD_ENV_FOR_GIT'
+  let originalValue: string | undefined
+
+  beforeEach(() => {
+    __resetGitEnvWarningForTesting()
+    originalValue = process.env[ORIGINAL_BAD_KEY]
+  })
+
+  afterEach(() => {
+    if (originalValue === undefined) {
+      delete process.env[ORIGINAL_BAD_KEY]
+    } else {
+      process.env[ORIGINAL_BAD_KEY] = originalValue
+    }
+  })
+
+  test('always sets the no-prompt overrides', () => {
+    const env = buildGitChildEnv()
+    expect(env.GIT_TERMINAL_PROMPT).toBe('0')
+    expect(env.GIT_ASKPASS).toBe('')
+  })
+
+  test('drops process.env values containing control characters (issue #751)', () => {
+    process.env[ORIGINAL_BAD_KEY] = 'paste-with-newline\n'
+    const env = buildGitChildEnv()
+    expect(env[ORIGINAL_BAD_KEY]).toBeUndefined()
+    expect(env.GIT_TERMINAL_PROMPT).toBe('0')
+  })
+
+  test('caller extras override process.env and the no-prompt defaults', () => {
+    const env = buildGitChildEnv({
+      GIT_TERMINAL_PROMPT: '1',
+      CUSTOM_KEY: 'custom-value',
+    })
+    expect(env.GIT_TERMINAL_PROMPT).toBe('1')
+    expect(env.CUSTOM_KEY).toBe('custom-value')
+  })
+
+  test('caller-provided unsafe extras are also dropped', () => {
+    const env = buildGitChildEnv({ EXTRA_BAD: 'a\rb' })
+    expect(env.EXTRA_BAD).toBeUndefined()
+  })
+})

src/utils/plugins/gitEnv.ts

@@ -0,0 +1,70 @@
+import { logForDebugging } from '../debug.js'
+
+/**
+ * Git 2.30+ refuses to start when any environment value contains a NUL,
+ * CR, or LF character ("Unsafe environment: control characters are not
+ * allowed in values"). User shells frequently leak such values — a
+ * copy-pasted API key with a trailing newline, or a terminal-set
+ * variable with embedded escape sequences — which would otherwise break
+ * every plugin clone or pull. We drop offending entries before forwarding
+ * the environment to git.
+ */
+const GIT_UNSAFE_VALUE_RE = /[\0\r\n]/
+
+const GIT_NO_PROMPT_ENV = {
+  GIT_TERMINAL_PROMPT: '0', // Prevent terminal credential prompts
+  GIT_ASKPASS: '', // Disable askpass GUI programs
+}
+
+let warnedAboutDroppedEnvKeys = false
+
+/**
+ * Returns a copy of `env` with any entries whose key OR value contains
+ * a NUL/CR/LF removed. The list of dropped key names is returned so
+ * callers can log it without exposing the (possibly secret) values.
+ */
+export function sanitizeEnvForGit(
+  env: NodeJS.ProcessEnv,
+): { env: NodeJS.ProcessEnv; dropped: string[] } {
+  const sanitized: NodeJS.ProcessEnv = {}
+  const dropped: string[] = []
+  for (const [key, value] of Object.entries(env)) {
+    if (value === undefined) continue
+    if (GIT_UNSAFE_VALUE_RE.test(key) || GIT_UNSAFE_VALUE_RE.test(value)) {
+      dropped.push(key)
+      continue
+    }
+    sanitized[key] = value
+  }
+  return { env: sanitized, dropped }
+}
+
+/**
+ * Build the environment object passed to a git child process. Merges
+ * `process.env` with the no-prompt overrides and any caller extras,
+ * then strips entries that would trigger git's unsafe-value check. The
+ * first batch of dropped key names is logged once per process so the
+ * user can clean them up in their shell.
+ */
+export function buildGitChildEnv(
+  extras?: NodeJS.ProcessEnv,
+): NodeJS.ProcessEnv {
+  const merged = { ...process.env, ...GIT_NO_PROMPT_ENV, ...(extras ?? {}) }
+  const { env, dropped } = sanitizeEnvForGit(merged)
+  if (dropped.length > 0 && !warnedAboutDroppedEnvKeys) {
+    warnedAboutDroppedEnvKeys = true
+    logForDebugging(
+      `git child env: dropped ${dropped.length} key(s) containing control characters: ${dropped.join(', ')}. Git 2.30+ rejects them; clean these up in your shell to forward them to git.`,
+      { level: 'warn' },
+    )
+  }
+  return env
+}
+
+/**
+ * Test-only escape hatch that resets the once-per-process warning flag
+ * so unit tests can exercise the warning path repeatedly.
+ */
+export function __resetGitEnvWarningForTesting(): void {
+  warnedAboutDroppedEnvKeys = false
+}

src/utils/plugins/marketplaceManager.ts

@@ -53,6 +53,7 @@ import {
   getAddDirExtraMarketplaces,
 } from './addDirPluginSettings.js'
 import { markPluginVersionOrphaned } from './cacheUtils.js'
+import { buildGitChildEnv } from './gitEnv.js'
 import { classifyFetchError, logPluginFetch } from './fetchTelemetry.js'
 import { removeAllPluginsForMarketplace } from './installedPluginsManager.js'
 import {
@@ -506,11 +507,6 @@ function seedDirFor(installLocation: string): string | undefined {
  * Provides helpful error messages for common failure scenarios.
  * If a ref is specified, fetches and checks out that specific branch or tag.
  */
-// Environment variables to prevent git from prompting for credentials
-const GIT_NO_PROMPT_ENV = {
-  GIT_TERMINAL_PROMPT: '0', // Prevent terminal credential prompts
-  GIT_ASKPASS: '', // Disable askpass GUI programs
-}
 
 const DEFAULT_PLUGIN_GIT_TIMEOUT_MS = 120 * 1000
 
@@ -531,7 +527,7 @@ export async function gitPull(
   options?: { disableCredentialHelper?: boolean; sparsePaths?: string[] },
 ): Promise<{ code: number; stderr: string }> {
   logForDebugging(`git pull: cwd=${cwd} ref=${ref ?? 'default'}`)
-  const env = { ...process.env, ...GIT_NO_PROMPT_ENV }
+  const env = buildGitChildEnv()
   const baseArgs = ['-c', 'core.hooksPath=/dev/null']
   const credentialArgs = options?.disableCredentialHelper
     ? ['-c', 'credential.helper=']
@@ -844,7 +840,7 @@ export async function gitClone(
   const result = await execFileNoThrowWithCwd(gitExe(), args, {
     timeout: timeoutMs,
     stdin: 'ignore',
-    env: { ...process.env, ...GIT_NO_PROMPT_ENV },
+    env: buildGitChildEnv(),
   })
 
   // Scrub credentials from execa's error/stderr fields before any logging or
@@ -870,7 +866,7 @@ export async function gitClone(
           cwd: targetPath,
           timeout: timeoutMs,
           stdin: 'ignore',
-          env: { ...process.env, ...GIT_NO_PROMPT_ENV },
+          env: buildGitChildEnv(),
         },
       )
       if (sparseResult.code !== 0) {
@@ -889,7 +885,7 @@ export async function gitClone(
           cwd: targetPath,
           timeout: timeoutMs,
           stdin: 'ignore',
-          env: { ...process.env, ...GIT_NO_PROMPT_ENV },
+          env: buildGitChildEnv(),
         },
       )
       if (checkoutResult.code !== 0) {
@@ -1040,7 +1036,7 @@ export async function reconcileSparseCheckout(
   cwd: string,
   sparsePaths: string[] | undefined,
 ): Promise<{ code: number; stderr: string }> {
-  const env = { ...process.env, ...GIT_NO_PROMPT_ENV }
+  const env = buildGitChildEnv()
 
   if (sparsePaths && sparsePaths.length > 0) {
     return execFileNoThrowWithCwd(

src/utils/plugins/pluginLoader.ts

@@ -87,6 +87,7 @@ import { getAddDirEnabledPlugins } from './addDirPluginSettings.js'
 import { verifyAndDemote } from './dependencyResolver.js'
 import { classifyFetchError, logPluginFetch } from './fetchTelemetry.js'
 import { checkGitAvailable } from './gitAvailability.js'
+import { buildGitChildEnv } from './gitEnv.js'
 import { getInMemoryInstalledPlugins } from './installedPluginsManager.js'
 import { getManagedPluginNames } from './managedPlugins.js'
 import {
@@ -560,7 +561,9 @@ export async function gitClone(
   args.push(gitUrl, targetPath)
 
   const cloneStarted = performance.now()
-  const cloneResult = await execFileNoThrow(gitExe(), args)
+  const cloneResult = await execFileNoThrow(gitExe(), args, {
+    env: buildGitChildEnv(),
+  })
 
   if (cloneResult.code !== 0) {
     logPluginFetch(
@@ -579,7 +582,7 @@ export async function gitClone(
     const shallowFetchResult = await execFileNoThrowWithCwd(
       gitExe(),
       ['fetch', '--depth', '1', 'origin', sha],
-      { cwd: targetPath },
+      { cwd: targetPath, env: buildGitChildEnv() },
     )
 
     if (shallowFetchResult.code !== 0) {
@@ -591,7 +594,7 @@ export async function gitClone(
       const unshallowResult = await execFileNoThrowWithCwd(
         gitExe(),
         ['fetch', '--unshallow'],
-        { cwd: targetPath },
+        { cwd: targetPath, env: buildGitChildEnv() },
       )
 
       if (unshallowResult.code !== 0) {
@@ -612,7 +615,7 @@ export async function gitClone(
     const checkoutResult = await execFileNoThrowWithCwd(
       gitExe(),
       ['checkout', sha],
-      { cwd: targetPath },
+      { cwd: targetPath, env: buildGitChildEnv() },
     )
 
     if (checkoutResult.code !== 0) {
@@ -745,7 +748,9 @@ export async function installFromGitSubdir(
   }
   cloneArgs.push(gitUrl, cloneDir)
 
-  const cloneResult = await execFileNoThrow(gitExe(), cloneArgs)
+  const cloneResult = await execFileNoThrow(gitExe(), cloneArgs, {
+    env: buildGitChildEnv(),
+  })
   if (cloneResult.code !== 0) {
     throw new Error(
       `Failed to clone repository for git-subdir source: ${cloneResult.stderr}`,
@@ -756,7 +761,7 @@ export async function installFromGitSubdir(
     const sparseResult = await execFileNoThrowWithCwd(
       gitExe(),
       ['sparse-checkout', 'set', '--cone', '--', subdirPath],
-      { cwd: cloneDir },
+      { cwd: cloneDir, env: buildGitChildEnv() },
     )
     if (sparseResult.code !== 0) {
       throw new Error(
@@ -775,7 +780,7 @@ export async function installFromGitSubdir(
       const fetchSha = await execFileNoThrowWithCwd(
         gitExe(),
         ['fetch', '--depth', '1', 'origin', sha],
-        { cwd: cloneDir },
+        { cwd: cloneDir, env: buildGitChildEnv() },
       )
       if (fetchSha.code !== 0) {
         logForDebugging(
@@ -784,7 +789,7 @@ export async function installFromGitSubdir(
         const unshallow = await execFileNoThrowWithCwd(
           gitExe(),
           ['fetch', '--unshallow'],
-          { cwd: cloneDir },
+          { cwd: cloneDir, env: buildGitChildEnv() },
         )
         if (unshallow.code !== 0) {
           throw new Error(`Failed to fetch commit ${sha}: ${unshallow.stderr}`)
@@ -793,7 +798,7 @@ export async function installFromGitSubdir(
       const checkout = await execFileNoThrowWithCwd(
         gitExe(),
         ['checkout', sha],
-        { cwd: cloneDir },
+        { cwd: cloneDir, env: buildGitChildEnv() },
       )
       if (checkout.code !== 0) {
         throw new Error(`Failed to checkout commit ${sha}: ${checkout.stderr}`)
@@ -808,9 +813,11 @@ export async function installFromGitSubdir(
       const [checkout, revParse] = await Promise.all([
         execFileNoThrowWithCwd(gitExe(), ['checkout', 'HEAD'], {
           cwd: cloneDir,
+          env: buildGitChildEnv(),
         }),
         execFileNoThrowWithCwd(gitExe(), ['rev-parse', 'HEAD'], {
           cwd: cloneDir,
+          env: buildGitChildEnv(),
         }),
       ])
       if (checkout.code !== 0) {

src/utils/ripgrep.test.ts

@@ -5,15 +5,16 @@ import { resolveRipgrepConfig, wrapRipgrepUnavailableError } from './ripgrep.js'
 
 const MOCK_BUILTIN_PATH = path.normalize(
   process.platform === 'win32'
-    ? `node_modules/@vscode/ripgrep/bin/rg.exe`
-    : `node_modules/@vscode/ripgrep/bin/rg`,
+    ? `vendor/ripgrep/${process.arch}-win32/rg.exe`
+    : `vendor/ripgrep/${process.arch}-${process.platform}/rg`,
 )
 
-test('falls back to system rg when @vscode/ripgrep cannot be resolved', () => {
+test('ripgrepCommand falls back to system rg when builtin binary is missing', () => {
   const config = resolveRipgrepConfig({
     userWantsSystemRipgrep: false,
     bundledMode: false,
-    builtinCommand: null,
+    builtinCommand: MOCK_BUILTIN_PATH,
+    builtinExists: false,
     systemExecutablePath: '/usr/bin/rg',
     processExecPath: '/fake/bun',
   })
@@ -25,11 +26,12 @@ test('falls back to system rg when @vscode/ripgrep cannot be resolved', () => {
   })
 })
 
-test('uses builtin @vscode/ripgrep path when the package resolves', () => {
+test('ripgrepCommand keeps builtin mode when bundled binary exists', () => {
   const config = resolveRipgrepConfig({
     userWantsSystemRipgrep: false,
     bundledMode: false,
     builtinCommand: MOCK_BUILTIN_PATH,
+    builtinExists: true,
     systemExecutablePath: '/usr/bin/rg',
     processExecPath: '/fake/bun',
   })
@@ -41,59 +43,10 @@ test('uses builtin @vscode/ripgrep path when the package resolves', () => {
   })
 })
 
-test('honors USE_BUILTIN_RIPGREP=0 by selecting system rg even when builtin is available', () => {
-  const config = resolveRipgrepConfig({
-    userWantsSystemRipgrep: true,
-    bundledMode: false,
-    builtinCommand: MOCK_BUILTIN_PATH,
-    systemExecutablePath: '/usr/bin/rg',
-    processExecPath: '/fake/bun',
-  })
-
-  expect(config).toMatchObject({
-    mode: 'system',
-    command: 'rg',
-    args: [],
-  })
-})
-
-test('keeps embedded mode for Bun-compiled standalone executables', () => {
-  const config = resolveRipgrepConfig({
-    userWantsSystemRipgrep: false,
-    bundledMode: true,
-    builtinCommand: null,
-    systemExecutablePath: '/usr/bin/rg',
-    processExecPath: '/opt/openclaude/bin/openclaude',
-  })
-
-  expect(config).toMatchObject({
-    mode: 'embedded',
-    command: '/opt/openclaude/bin/openclaude',
-    args: ['--no-config'],
-    argv0: 'rg',
-  })
-})
-
-test('falls through to system rg as a last resort even when not on PATH', () => {
-  const config = resolveRipgrepConfig({
-    userWantsSystemRipgrep: false,
-    bundledMode: false,
-    builtinCommand: null,
-    systemExecutablePath: 'rg',
-    processExecPath: '/fake/bun',
-  })
-
-  expect(config).toMatchObject({
-    mode: 'system',
-    command: 'rg',
-    args: [],
-  })
-})
-
 test('wrapRipgrepUnavailableError explains missing packaged fallback', () => {
   const error = wrapRipgrepUnavailableError(
     { code: 'ENOENT', message: 'spawn rg ENOENT' },
-    { mode: 'builtin', command: 'C:\\fake\\node_modules\\@vscode\\ripgrep\\bin\\rg.exe', args: [] },
+    { mode: 'builtin', command: 'C:\\fake\\vendor\\ripgrep\\rg.exe', args: [] },
     'win32',
   )
 

src/utils/ripgrep.ts

@@ -5,6 +5,7 @@ import memoize from 'lodash-es/memoize.js'
 import { homedir } from 'os'
 import * as path from 'path'
 import { logEvent } from 'src/services/analytics/index.js'
+import { fileURLToPath } from 'url'
 import { isInBundledMode } from './bundledMode.js'
 import { logForDebugging } from './debug.js'
 import { isEnvDefinedFalsy } from './envUtils.js'
@@ -14,6 +15,13 @@ import { logError } from './log.js'
 import { getPlatform } from './platform.js'
 import { countCharInString } from './stringUtils.js'
 
+const __filename = fileURLToPath(import.meta.url)
+// we use node:path.join instead of node:url.resolve because the former doesn't encode spaces
+const __dirname = path.join(
+  __filename,
+  process.env.NODE_ENV === 'test' ? '../../../' : '../',
+)
+
 type RipgrepConfig = {
   mode: 'system' | 'builtin' | 'embedded'
   command: string
@@ -27,31 +35,11 @@ function isErrnoException(error: unknown): error is NodeJS.ErrnoException {
   return error instanceof Error
 }
 
-/**
- * Returns the ripgrep binary path provided by the @vscode/ripgrep package.
- * The package downloads a platform/arch-specific binary at npm install time
- * (cached under the package's bin/ directory). Returns null when the package
- * cannot be resolved — for example when running as a Bun-compiled standalone
- * executable that doesn't ship node_modules.
- */
-function resolveBuiltinRgPath(): string | null {
-  try {
-    // Lazy require so the resolution failure path stays graceful at import
-    // time. The package only exports `rgPath`, so we do not need the rest.
-    const mod = require('@vscode/ripgrep') as { rgPath?: string }
-    if (mod.rgPath && existsSync(mod.rgPath)) {
-      return mod.rgPath
-    }
-  } catch {
-    // Falls through to null — caller decides the fallback.
-  }
-  return null
-}
-
 type ResolveRipgrepConfigArgs = {
   userWantsSystemRipgrep: boolean
   bundledMode: boolean
-  builtinCommand: string | null
+  builtinCommand: string
+  builtinExists: boolean
   systemExecutablePath: string
   processExecPath?: string
 }
@@ -60,6 +48,7 @@ export function resolveRipgrepConfig({
   userWantsSystemRipgrep,
   bundledMode,
   builtinCommand,
+  builtinExists,
   systemExecutablePath,
   processExecPath = process.execPath,
 }: ResolveRipgrepConfigArgs): RipgrepConfig {
@@ -77,7 +66,7 @@ export function resolveRipgrepConfig({
     }
   }
 
-  if (builtinCommand) {
+  if (builtinExists) {
     return { mode: 'builtin', command: builtinCommand, args: [] }
   }
 
@@ -85,9 +74,7 @@ export function resolveRipgrepConfig({
     return { mode: 'system', command: 'rg', args: [] }
   }
 
-  // Last resort — leaves error reporting to the executor when no binary
-  // can be located. wrapRipgrepUnavailableError() surfaces an install hint.
-  return { mode: 'system', command: 'rg', args: [] }
+  return { mode: 'builtin', command: builtinCommand, args: [] }
 }
 
 const getRipgrepConfig = memoize((): RipgrepConfig => {
@@ -95,13 +82,19 @@ const getRipgrepConfig = memoize((): RipgrepConfig => {
     process.env.USE_BUILTIN_RIPGREP,
   )
   const bundledMode = isInBundledMode()
-  const builtinCommand = resolveBuiltinRgPath()
+  const rgRoot = path.resolve(__dirname, 'vendor', 'ripgrep')
+  const builtinCommand =
+    process.platform === 'win32'
+      ? path.resolve(rgRoot, `${process.arch}-win32`, 'rg.exe')
+      : path.resolve(rgRoot, `${process.arch}-${process.platform}`, 'rg')
+  const builtinExists = existsSync(builtinCommand)
   const { cmd: systemExecutablePath } = findExecutable('rg', [])
 
   return resolveRipgrepConfig({
     userWantsSystemRipgrep,
     bundledMode,
     builtinCommand,
+    builtinExists,
     systemExecutablePath,
   })
 })