🧪 Isolate auth sanitizer load path spec from Bundler

Author: pboling

.rubocop_gradual.lock

@@ -1,9 +1,9 @@
 {
-  "spec/oauth2/auth_sanitizer_spec.rb:899913194": [
+  "spec/oauth2/auth_sanitizer_spec.rb:2223470268": [
     [19, 14, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
-    [54, 35, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
-    [55, 38, 2, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5861278],
-    [55, 66, 4, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 2087898353],
-    [57, 13, 1, "Lint/Syntax: unexpected token tCOLON\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 177567]
+    [65, 35, 2, "Lint/Syntax: unexpected token tLSHFT\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5859461],
+    [66, 38, 2, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 5861278],
+    [66, 66, 4, "Lint/Syntax: unexpected token tIDENTIFIER\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 2087898353],
+    [68, 13, 1, "Lint/Syntax: unexpected token tCOLON\n(Using Ruby 2.2 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)", 177567]
   ]
 }

CHANGELOG.md

@@ -28,6 +28,9 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Fixed
 
+- Fixed the isolated `auth-sanitizer` load-path regression spec so subprocess
+  RubyGems startup cannot inherit Bundler/Appraisal activation from CI.
+
 ### Security
 
 ## [2.0.24] - 2026-06-18

spec/oauth2/auth_sanitizer_spec.rb

@@ -34,14 +34,25 @@ def find_by_name(name, *requirements)
       require "oauth2/auth_sanitizer"
       abort("OAuth2::AUTH_SANITIZER was not loaded") unless OAuth2.const_defined?(:AUTH_SANITIZER, false)
     RUBY
+    ruby_env = if defined?(Bundler)
+      Bundler.with_unbundled_env { ENV.to_h }
+    else
+      ENV.to_h
+    end
+    %w[
+      BUNDLE_BIN_PATH
+      BUNDLE_GEMFILE
+      BUNDLE_PATH
+      BUNDLE_WITH
+      BUNDLE_WITHOUT
+      BUNDLER_VERSION
+      RUBYGEMS_GEMDEPS
+      RUBYLIB
+      RUBYOPT
+    ].each { |key| ruby_env[key] = nil }
 
     stdout, stderr, status = Open3.capture3(
-      {
-        "BUNDLE_GEMFILE" => nil,
-        "BUNDLER_VERSION" => nil,
-        "RUBYLIB" => nil,
-        "RUBYOPT" => nil,
-      },
+      ruby_env,
       RbConfig.ruby,
       "-I",
       oauth2_lib,