Add ${cmd:...} dynamic string interpolation backend #430

Resolves config values by running an arbitrary shell command and using
its trimmed stdout (e.g. `${cmd:pass show eca/key}`,
`${cmd:op read op://vault/Item/credential}`), removing the need for
LaunchAgent workarounds to inject secrets into GUI-launched ECA Desktop.

On macOS the user's interactive login shell is queried once for $PATH
(`$SHELL -ilc`) and the result cached, so Homebrew/mise/asdf shims
and anything sourced from .zshrc/.zprofile resolve correctly. Falls
back to prepending /opt/homebrew/bin, /usr/local/bin and ~/.local/bin
if the shell query fails (timeout, unsupported shell, etc.).

Closes #430

🤖 Generated with [eca](https://eca.dev)

Co-Authored-By: eca-agent <git@eca.dev>

Author: ericdallo

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - Improve rules with frontmatter filters, condition variables, path-scoped loading, enforcement support, and clearer documentation. #222
 - `preToolCall` hooks now receive `approval: "ask"` for the native `ask_user` tool so notification hooks (e.g. matching `.approval == "ask"`) also fire when the chat is blocked waiting for a user answer, regardless of trust mode.
+- New `${cmd:some command}` dynamic string backend that resolves to the trimmed stdout of a shell command, useful for password managers like `pass` or `op`. On macOS the user's interactive shell `$PATH` is queried once so GUI-launched ECA picks up Homebrew, `mise`/`asdf` shims, etc. #430
 
 ## 0.129.2
 

docs/config.json

@@ -482,17 +482,17 @@
         },
         "url": {
           "type": "string",
-          "description": "Base URL for the provider's API. Supports dynamic strings like ${env:VAR}.",
-          "markdownDescription": "Base URL for the provider's API. Supports dynamic strings like ${env:VAR}.",
+          "description": "Base URL for the provider's API. Supports dynamic strings like ${env:VAR} or ${cmd:command}.",
+          "markdownDescription": "Base URL for the provider's API. Supports dynamic strings like `${env:VAR}` or `${cmd:command}`.",
           "format": "uri"
         },
         "key": {
           "type": [
             "string",
             "null"
           ],
-          "description": "API key for authentication. Supports dynamic strings like ${env:MY_API_KEY}.",
-          "markdownDescription": "API key for authentication. Supports dynamic strings like ${env:MY_API_KEY}."
+          "description": "API key for authentication. Supports dynamic strings like ${env:MY_API_KEY}, ${netrc:host} or ${cmd:pass show eca/api-key}.",
+          "markdownDescription": "API key for authentication. Supports dynamic strings like `${env:MY_API_KEY}`, `${netrc:host}` or `${cmd:pass show eca/api-key}`."
         },
         "keyRc": {
           "type": "string",

docs/config/introduction.md

@@ -60,6 +60,13 @@ It's possible to retrieve content of any configs with a string value using the `
 - `env`: `${env:MY_ENV}` to get a system env value with support for default values: `${env:MY_ENV:foo}`
 - `classpath`: `${classpath:path/to/eca/file}` to get a file content from [ECA's classpath](https://github.com/editor-code-assistant/eca/tree/master/resources)
 - `netrc`: Support Unix RC [credential files](./models.md#credential-file-authentication)
+- `cmd`: `${cmd:some command}` to run a command via the platform shell (`bash -c` on POSIX, PowerShell on Windows) and use its trimmed stdout — useful for password managers like `${cmd:pass show eca/api-key}` or `${cmd:op read op://vault/Item/credential}`. On non-zero exit/timeout the value falls back to an empty string and a warning is logged. The command itself cannot contain `}` (the closing brace ends the placeholder); for commands like `awk '{print $1}' …`, wrap them in a small script or shell function.
+
+!!! info "macOS GUI launches"
+
+    When ECA runs from Finder/Dock (e.g. via ECA Desktop) the inherited `PATH` is minimal and Homebrew, `mise`/`asdf` shims, etc. are not visible. To fix this, on macOS the `cmd` backend spawns the user's interactive login shell once (`$SHELL -ilc '…'`) and reuses the captured `$PATH` for subsequent `${cmd:...}` resolutions — so anything sourced from `.zshrc`/`.zprofile`/`.bash_profile` is picked up automatically. If the shell query fails or your shell isn't bash/zsh/sh/dash/ksh, ECA falls back to prepending `/opt/homebrew/bin`, `/usr/local/bin` and `~/.local/bin`. As a last resort, use an absolute path (e.g. `${cmd:/opt/custom/bin/my-tool ...}`).
+
+    Linux GUI launches can have a similar (less severe) `PATH` gap, but shell-`PATH` discovery is currently macOS-only — Linux users with the same problem should use absolute paths in `${cmd:...}` for now.
 
 !!! info Markdown support
 

docs/config/models.md

@@ -314,8 +314,8 @@ Schema:
 | Option                            | Type    | Description                                                                                                  | Required |
 |-----------------------------------|---------|--------------------------------------------------------------------------------------------------------------|----------|
 | `api`                             | string  | The API schema to use (`"openai-responses"`, `"openai-chat"`, or `"anthropic"`)                              | Yes      |
-| `url`                             | string  | API URL (with support for env like `${env:MY_URL}`)                                                          | No*      |
-| `key`                             | string  | API key (with support for `${env:MY_KEY}` or `{netrc:api.my-provider.com}`                                   | No*      |
+| `url`                             | string  | API URL (with support for dynamic strings like `${env:MY_URL}` or `${cmd:...}`)                              | No*      |
+| `key`                             | string  | API key (with support for dynamic strings like `${env:MY_KEY}`, `${netrc:api.my-provider.com}` or `${cmd:pass show eca/key}`) | No*      |
 | `completionUrlRelativePath`       | string  | Optional override for the completion endpoint path (see defaults below and examples like Azure)              | No       |
 | `thinkTagStart`                   | string  | Optional override the think start tag tag for openai-chat (Default: "<think>") api                           | No       |
 | `thinkTagEnd`                     | string  | Optional override the think end tag for openai-chat (Default: "</think>") api                                | No       |

src/eca/interpolation.clj

@@ -3,9 +3,19 @@
   - `${env:SOME-ENV:default-value}`: environment variable with optional default
   - `${file:/some/path}`: file content (relative paths resolved from cwd)
   - `${classpath:path/to/file}`: classpath resource content
-  - `${netrc:api.provider.com}`: credential from Unix netrc files"
+  - `${netrc:api.provider.com}`: credential from Unix netrc files
+  - `${cmd:some command}`: stdout of an arbitrary shell command
+
+  For `${cmd:...}` on macOS, the inherited PATH for GUI-launched apps
+  (Finder/Dock) is minimal, so commands like `pass` and `op` won't resolve.
+  We spawn the user's interactive login shell once and capture its `$PATH`
+  -- this picks up everything sourced from `.zshrc`, `.zprofile`,
+  `.bash_profile`, etc. (Homebrew, mise/asdf shims, custom directories).
+  The query result is cached for the process lifetime; on failure we fall
+  back to a hardcoded augmentation with Homebrew/user-local paths."
   (:require
    [babashka.fs :as fs]
+   [babashka.process :as p]
    [clojure.java.io :as io]
    [clojure.string :as string]
    [eca.logger :as logger]
@@ -17,12 +27,186 @@
 
 (defn get-env [env] (System/getenv env))
 
+(def ^:private cmd-default-timeout-ms 30000)
+(def ^:private shell-query-timeout-ms 5000)
+(def ^:private shell-query-delim "__ECA_PATH_DELIM__")
+
+(def ^:private mac-default-path-entries
+  ["/opt/homebrew/bin" "/usr/local/bin"])
+
+(def ^:private supported-query-shells
+  #{"bash" "zsh" "sh" "dash" "ksh"})
+
+(defn ^:private mac? [^String os-name]
+  (boolean (and os-name (string/starts-with? os-name "Mac"))))
+
+(defn ^:private windows? [^String os-name]
+  (boolean (and os-name (string/starts-with? os-name "Windows"))))
+
+(defn ^:private posix-shell-name [^String shell-path]
+  (some-> shell-path
+          (string/replace #".*/" "")
+          string/lower-case))
+
+(defn supported-query-shell?
+  "True when the shell's basename is a POSIX shell we know how to query
+  (bash/zsh/sh/dash/ksh). Other shells (notably fish) use different syntax
+  for `$PATH` expansion and are skipped -- we fall back to hardcoded
+  augmentation for those users."
+  [shell-path]
+  (contains? supported-query-shells (posix-shell-name shell-path)))
+
+(defn augment-path
+  "Pure helper. On macOS, returns a PATH string with Homebrew, /usr/local/bin
+  and `<home>/.local/bin` prepended (only entries not already present in
+  `existing-path`). On other OSes returns `existing-path` unchanged."
+  [os-name existing-path home path-separator]
+  (if (mac? os-name)
+    (let [sep (or path-separator ":")
+          existing (or existing-path "")
+          existing-set (set (string/split existing
+                                          (re-pattern (java.util.regex.Pattern/quote sep))))
+          extras (cond-> (vec mac-default-path-entries)
+                   home (conj (str home "/.local/bin")))
+          missing (vec (remove existing-set extras))]
+      (cond
+        (empty? missing) existing
+        (string/blank? existing) (string/join sep missing)
+        :else (str (string/join sep missing) sep existing)))
+    existing-path))
+
+(defn run-process!
+  "Spawns `cmd-vector` via babashka.process with `extra-env` merged into the
+  child env, deref'd with `timeout-ms`. Returns {:exit :out :err}.
+  On timeout destroys the process tree and throws ex-info.
+
+  Public so tests can `with-redefs` it without spawning real subprocesses."
+  [cmd-vector extra-env timeout-ms]
+  (let [proc (p/process {:cmd cmd-vector
+                         :out :string
+                         :err :string
+                         :continue true
+                         :extra-env extra-env})
+        result (deref proc timeout-ms ::timeout)]
+    (if (= result ::timeout)
+      (do
+        (p/destroy-tree proc)
+        (throw (ex-info "Command timed out"
+                        {:cmd cmd-vector :timeout-ms timeout-ms})))
+      result)))
+
+(defn query-user-shell-path*
+  "Spawns `shell-path` as `<shell> -ilc 'printf DELIM%sDELIM \"$PATH\"'` (an
+  interactive login shell, which sources the user's rc/profile files) and
+  extracts the captured PATH from between the delimiters. Returns the PATH
+  string or nil on any failure (unsupported shell, non-zero exit, missing
+  delimiter, exception/timeout). Empty PATH is treated as failure.
+
+  Public for testing -- the production path goes through `query-user-shell-path`
+  which reads `$SHELL` from the environment."
+  [shell-path]
+  (try
+    (when (supported-query-shell? shell-path)
+      (let [delim shell-query-delim
+            script (str "printf '" delim "%s" delim "' \"$PATH\"")
+            {:keys [exit out]} (run-process! [shell-path "-ilc" script]
+                                             {}
+                                             shell-query-timeout-ms)
+            quoted-delim (java.util.regex.Pattern/quote delim)]
+        (when (and (zero? exit) (string? out))
+          (when-let [[_ path] (re-find (re-pattern (str "(?s)" quoted-delim "(.*?)" quoted-delim))
+                                       out)]
+            (when (seq path) path)))))
+    (catch Exception e
+      (logger/debug logger-tag "Shell PATH query failed:" (.getMessage e))
+      nil)))
+
+(defn query-user-shell-path
+  "Reads `$SHELL` from the environment (defaulting to /bin/bash) and queries it
+  for the user's PATH. Returns the PATH string or nil on failure. Public for
+  test redefinition."
+  []
+  (query-user-shell-path* (or (System/getenv "SHELL") "/bin/bash")))
+
+(defonce ^:private user-shell-path-cache* (atom ::unset))
+
+(defn user-shell-path
+  "Returns the user's interactive shell PATH or nil. Lazily queried on first
+  call and cached for the process lifetime. Both successful and unsuccessful
+  results are cached -- we don't retry the shell query on every miss."
+  []
+  (let [v @user-shell-path-cache*]
+    (if (= v ::unset)
+      (let [p (query-user-shell-path)]
+        (reset! user-shell-path-cache* (or p ::miss))
+        p)
+      (when-not (= v ::miss) v))))
+
+(defn reset-shell-path-cache!
+  "Clears the cached shell PATH. Test helper."
+  []
+  (reset! user-shell-path-cache* ::unset))
+
+(defn effective-path
+  "Returns the PATH to use for the cmd resolver child process.
+
+  On macOS, prefers the user's interactive shell PATH (queried once and cached);
+  falls back to augmenting the inherited PATH with hardcoded Homebrew/user-local
+  entries when the shell query is unavailable. On other OSes returns
+  `existing-path` unchanged."
+  [os-name existing-path home sep]
+  (if (mac? os-name)
+    (or (user-shell-path)
+        (augment-path os-name existing-path home sep))
+    existing-path))
+
+(defn ^:private build-cmd-vector [^String os-name cmd-string]
+  (if (windows? os-name)
+    ["powershell.exe" "-NoProfile" "-Command" cmd-string]
+    ["bash" "-c" cmd-string]))
+
+(defn resolve-cmd
+  "Runs `cmd-string` via the platform shell (bash on POSIX, PowerShell on Windows)
+  and returns its stdout with trailing whitespace trimmed.
+
+  On non-zero exit, exception, or timeout: logs a warning and returns \"\" --
+  matching the failure mode of the other dynamic string backends so a missing
+  secret does not crash config load."
+  [cmd-string]
+  (try
+    (let [os-name (System/getProperty "os.name")
+          existing-path (System/getenv "PATH")
+          home (System/getProperty "user.home")
+          sep (System/getProperty "path.separator")
+          new-path (effective-path os-name existing-path home sep)
+          extra-env (cond-> {}
+                      (and new-path (not= new-path existing-path))
+                      (assoc "PATH" new-path))
+          {:keys [exit out err]} (run-process! (build-cmd-vector os-name cmd-string)
+                                               extra-env
+                                               cmd-default-timeout-ms)]
+      (if (zero? exit)
+        (some-> out string/trimr)
+        (do
+          (logger/warn logger-tag
+                       "Command exited non-zero:"
+                       {:cmd cmd-string
+                        :exit exit
+                        :err (some-> err string/trim)})
+          "")))
+    (catch Exception e
+      (logger/warn logger-tag
+                   "Command failed:"
+                   {:cmd cmd-string :error (.getMessage e)})
+      "")))
+
 (defn replace-dynamic-strings
   "Given a string and a current working directory, look for patterns replacing its content:
   - `${env:SOME-ENV:default-value}`: Replace with a env falling back to a optional default value
   - `${file:/some/path}`: Replace with a file content checking from cwd if relative
   - `${classpath:path/to/file}`: Replace with a file content found checking classpath
-  - `${netrc:api.provider.com}`: Replace with the content from Unix net RC [credential files](https://eca.dev/config/models/#credential-file-authentication)"
+  - `${netrc:api.provider.com}`: Replace with the content from Unix net RC [credential files](https://eca.dev/config/models/#credential-file-authentication)
+  - `${cmd:some command}`: Replace with the trimmed stdout of an arbitrary shell command"
   [s cwd config]
   (some-> s
           (string/replace #"\$\{env:([^:}]+)(?::([^}]*))?\}"
@@ -53,4 +237,11 @@
                               (or (secrets/get-credential key-rc (get config "netrcFile")) "")
                               (catch Exception e
                                 (logger/warn logger-tag "Error reading netrc credential:" (.getMessage e))
+                                ""))))
+          (string/replace #"\$\{cmd:([^}]+)\}"
+                          (fn [[_match cmd-string]]
+                            (try
+                              (or (resolve-cmd cmd-string) "")
+                              (catch Exception e
+                                (logger/warn logger-tag "Error executing cmd:" (.getMessage e))
                                 ""))))))

test/eca/config_test.clj

@@ -469,7 +469,7 @@
       (is (= "password1 and password2"
              (interpolation/replace-dynamic-strings "${netrc:api1.example.com} and ${netrc:api2.example.com}" "/tmp" {})))))
 
-  (testing "handles mixed env, file, classpath, and netrc patterns"
+  (testing "handles mixed env, file, classpath, netrc and cmd patterns"
     (with-redefs [interpolation/get-env (fn [env-var]
                                    (when (= env-var "TEST_VAR") "env-value"))
                   fs/expand-home identity
@@ -485,9 +485,11 @@
                   secrets/get-credential (fn [key-rc _]
                                            (when (= key-rc "api.example.com")
                                              "netrc-password"))
+                  interpolation/resolve-cmd (fn [cmd-string]
+                                              (when (= cmd-string "echo cmd-value") "cmd-value"))
                   logger/warn (fn [& _] nil)]
-      (is (= "env-value and file-value and classpath-value and netrc-password"
-             (interpolation/replace-dynamic-strings "${env:TEST_VAR} and ${file:/file.txt} and ${classpath:resource.txt} and ${netrc:api.example.com}" "/tmp" {})))))
+      (is (= "env-value and file-value and classpath-value and netrc-password and cmd-value"
+             (interpolation/replace-dynamic-strings "${env:TEST_VAR} and ${file:/file.txt} and ${classpath:resource.txt} and ${netrc:api.example.com} and ${cmd:echo cmd-value}" "/tmp" {})))))
 
   (testing "handles netrc pattern within longer strings"
     (with-redefs [secrets/get-credential (fn [key-rc _]
@@ -508,7 +510,45 @@
                                              "api_service.example.com" "password2"
                                              nil))]
       (is (= "password1" (interpolation/replace-dynamic-strings "${netrc:api-gateway.example-corp.com}" "/tmp" {})))
-      (is (= "password2" (interpolation/replace-dynamic-strings "${netrc:api_service.example.com}" "/tmp" {}))))))
+      (is (= "password2" (interpolation/replace-dynamic-strings "${netrc:api_service.example.com}" "/tmp" {})))))
+
+  (testing "replaces cmd pattern with the resolver result"
+    (with-redefs [interpolation/resolve-cmd (fn [cmd-string]
+                                              (case cmd-string
+                                                "pass show eca/api-key" "sk-abc123"
+                                                "echo hello" "hello"
+                                                ""))]
+      (is (= "sk-abc123" (interpolation/replace-dynamic-strings "${cmd:pass show eca/api-key}" "/tmp" {})))
+      (is (= "Bearer sk-abc123" (interpolation/replace-dynamic-strings "Bearer ${cmd:pass show eca/api-key}" "/tmp" {})))))
+
+  (testing "cmd pattern supports values with `://` (1Password op references)"
+    (with-redefs [interpolation/resolve-cmd (fn [cmd-string]
+                                              (when (= cmd-string "op read op://vault/Item/credential")
+                                                "op-secret"))]
+      (is (= "op-secret"
+             (interpolation/replace-dynamic-strings "${cmd:op read op://vault/Item/credential}" "/tmp" {})))))
+
+  (testing "cmd pattern returns empty string when resolver returns nil/empty"
+    (with-redefs [interpolation/resolve-cmd (constantly "")]
+      (is (= "" (interpolation/replace-dynamic-strings "${cmd:false}" "/tmp" {})))
+      (is (= "prefix  suffix"
+             (interpolation/replace-dynamic-strings "prefix ${cmd:false} suffix" "/tmp" {})))))
+
+  (testing "cmd pattern returns empty string when resolver throws"
+    (with-redefs [logger/warn (fn [& _] nil)
+                  interpolation/resolve-cmd (fn [_] (throw (ex-info "boom" {})))]
+      (is (= "" (interpolation/replace-dynamic-strings "${cmd:explode}" "/tmp" {})))
+      (is (= "prefix  suffix"
+             (interpolation/replace-dynamic-strings "prefix ${cmd:explode} suffix" "/tmp" {})))))
+
+  (testing "handles multiple cmd patterns in one string"
+    (with-redefs [interpolation/resolve-cmd (fn [cmd-string]
+                                              (case cmd-string
+                                                "echo a" "value-a"
+                                                "echo b" "value-b"
+                                                ""))]
+      (is (= "value-a and value-b"
+             (interpolation/replace-dynamic-strings "${cmd:echo a} and ${cmd:echo b}" "/tmp" {}))))))
 
 (deftest config-schema-test
   (testing "docs/config.json is a valid JSON schema"