🧪 Isolate auth sanitizer subprocess environment

Author: pboling

.rubocop_gradual.lock

@@ -1,9 +1,9 @@
 {
-  "spec/oauth2/auth_sanitizer_spec.rb:1763449711": [
-    [19, 14, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
-    [66, 35, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
-    [67, 38, 2, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5861278],
-    [67, 66, 4, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 2087898353],
-    [69, 13, 1, "Lint/Syntax: unexpected token tCOLON\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 177567]
+  "spec/oauth2/auth_sanitizer_spec.rb:2015103424": [
+    [21, 14, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
+    [72, 35, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
+    [73, 38, 2, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5861278],
+    [73, 66, 4, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 2087898353],
+    [75, 13, 1, "Lint/Syntax: unexpected token tCOLON\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 177567]
   ]
 }

CHANGELOG.md

@@ -28,6 +28,9 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Fixed
 
+- Fixed the isolated `auth-sanitizer` load-path regression spec so spawned Ruby
+  processes run with an explicit minimal environment in CI.
+
 ### Security
 
 ## [2.0.24] - 2026-06-18

spec/oauth2/auth_sanitizer_spec.rb

@@ -15,7 +15,9 @@
 
   it "loads when auth-sanitizer is only available on the load path, not GEM_PATH" do
     oauth2_lib = File.expand_path("../../lib", __dir__)
+    anonymous_loader_lib = File.join(Gem.loaded_specs.fetch("anonymous_loader").full_gem_path, "lib")
     auth_sanitizer_lib = File.join(Gem.loaded_specs.fetch("auth-sanitizer").full_gem_path, "lib")
+    version_gem_lib = File.join(Gem.loaded_specs.fetch("version_gem").full_gem_path, "lib")
     script = <<~'RUBY'
       require "rubygems"
 
@@ -34,22 +36,21 @@ def find_by_name(name, *requirements)
       require "oauth2/auth_sanitizer"
       abort("OAuth2::AUTH_SANITIZER was not loaded") unless OAuth2.const_defined?(:AUTH_SANITIZER, false)
     RUBY
-    ruby_env = if defined?(Bundler)
-      Bundler.with_unbundled_env { ENV.to_h }
-    else
-      ENV.to_h
+    passthrough_env_keys = %w[
+      GEM_HOME
+      GEM_PATH
+      HOME
+      PATH
+      PATHEXT
+      SystemRoot
+      TEMP
+      TMP
+      TMPDIR
+      WINDIR
+    ]
+    ruby_env = passthrough_env_keys.each_with_object({}) do |key, env|
+      env[key] = ENV[key] if ENV.key?(key)
     end
-    %w[
-      BUNDLE_BIN_PATH
-      BUNDLE_GEMFILE
-      BUNDLE_PATH
-      BUNDLE_WITH
-      BUNDLE_WITHOUT
-      BUNDLER_VERSION
-      RUBYGEMS_GEMDEPS
-      RUBYLIB
-      RUBYOPT
-    ].each { |key| ruby_env[key] = nil }
 
     stdout, stderr, status = Open3.capture3(
       ruby_env,
@@ -58,9 +59,14 @@ def find_by_name(name, *requirements)
       "-I",
       oauth2_lib,
       "-I",
+      anonymous_loader_lib,
+      "-I",
       auth_sanitizer_lib,
+      "-I",
+      version_gem_lib,
       "-e",
-      script
+      script,
+      unsetenv_others: true
     )
 
     expect(status).to be_success, <<~MSG