fix: Sanitize all env values in evals to prevent ERR_INVALID_CHAR (#665)

* fix: Sanitize all env values in evals to prevent ERR_INVALID_CHAR

CI secrets often contain trailing newlines or quotes that cause
`TypeError [ERR_INVALID_CHAR]: Invalid character in header content`
when passed to HTTP clients.

- Sanitize OPENROUTER_CONFIG (apiKey + baseURL) at capture time in shared/config.ts
- Sanitize APIFY_TOKEN in workflow evals
- Sanitize both OpenRouter clients in evaluation_utils.ts (createOpenRouterTask + createClassifierEvaluator)
- Rename sanitizeHeaderValue → sanitizeEnvValue (used for URLs and tokens, not just headers)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: sanitize openrouterKey and guard undefined assignment to process.env

Agent-Logs-Url: https://github.com/apify/apify-mcp-server/sessions/76f2f7a9-f806-4b0b-86de-138f7be29b15

Co-authored-by: jirispilka <19406805+jirispilka@users.noreply.github.com>

* fix: Remove sanitizeEnvValue usage and implement OPENROUTER_CONFIG for environment variables

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 3 people

evals/config.ts

@@ -9,7 +9,7 @@ import { fileURLToPath } from 'node:url';
 import log from '@apify/log';
 
 // Re-export shared config
-export { OPENROUTER_CONFIG, sanitizeHeaderValue, validateEnvVars, getRequiredEnvVars } from './shared/config.js';
+export { OPENROUTER_CONFIG, sanitizeEnvValue, validateEnvVars, getRequiredEnvVars } from './shared/config.js';
 
 // Read the version from test-cases.json
 function getTestCasesVersion(): string {

evals/create_dataset.ts

@@ -14,7 +14,7 @@ import { hideBin } from 'yargs/helpers';
 
 import log from '@apify/log';
 
-import { sanitizeHeaderValue, validatePhoenixEnvVars } from './config.js';
+import { sanitizeEnvValue, validatePhoenixEnvVars } from './config.js';
 import { loadTestCases, filterByCategory, filterById, type TestCase } from './evaluation_utils.js';
 
 // Set log level to debug
@@ -98,7 +98,7 @@ async function createDatasetFromTestCases(
     const client = createClient({
         options: {
             baseUrl: process.env.PHOENIX_BASE_URL!,
-            headers: { Authorization: `Bearer ${sanitizeHeaderValue(process.env.PHOENIX_API_KEY)}` },
+            headers: { Authorization: `Bearer ${sanitizeEnvValue(process.env.PHOENIX_API_KEY)}` },
         },
     });
 

evals/eval_single.ts

@@ -9,7 +9,7 @@ import {
     loadTestCases, filterById,
     type TestCase
 } from './evaluation_utils.js';
-import { PASS_THRESHOLD, sanitizeHeaderValue } from './config.js';
+import { PASS_THRESHOLD } from './config.js';
 
 dotenv.config({ path: '.env' });
 log.setLevel(log.LEVELS.INFO);
@@ -25,8 +25,6 @@ const EXAMPLES: TestCase[] = [
 EXAMPLES.push(...filterById(loadTestCases('test_cases.json').testCases, 'fetch-actor-details-1'));
 
 async function main() {
-    process.env.OPENROUTER_API_KEY = sanitizeHeaderValue(process.env.OPENROUTER_API_KEY);
-
     console.log(`\nEvaluating ${EXAMPLES.length} examples\n`);
 
     // 1. Load tools

evals/evaluation_utils.ts

@@ -18,7 +18,7 @@ import {
     TOOL_SELECTION_EVAL_MODEL,
     EVALUATOR_NAMES,
     TEMPERATURE,
-    sanitizeHeaderValue
+    OPENROUTER_CONFIG,
 } from './config.js';
 import { loadTestCases as loadTestCasesShared, filterByCategory, filterById } from './shared/test_case_loader.js';
 import { transformToolsToOpenAIFormat } from './shared/openai_tools.js';
@@ -56,10 +56,7 @@ export function createOpenRouterTask(modelName: string, tools: ToolBase[]) {
         context: string;
         reference: string;
     }> => {
-        const client = new OpenAI({
-            baseURL: process.env.OPENROUTER_BASE_URL,
-            apiKey: sanitizeHeaderValue(process.env.OPENROUTER_API_KEY),
-        });
+        const client = new OpenAI(OPENROUTER_CONFIG);
 
         log.info(`Input: ${JSON.stringify(example)}`);
 
@@ -104,10 +101,7 @@ export function createOpenRouterTask(modelName: string, tools: ToolBase[]) {
 }
 
 export function createClassifierEvaluator() {
-    const openai = createOpenAI({
-        baseURL: process.env.OPENROUTER_BASE_URL,
-        apiKey: process.env.OPENROUTER_API_KEY,
-    });
+    const openai = createOpenAI(OPENROUTER_CONFIG);
 
     return createClassifierFn({
         model: openai(TOOL_SELECTION_EVAL_MODEL),

evals/run_evaluation.ts

@@ -29,7 +29,7 @@ import {
     PHOENIX_RETRY_DELAY_MS,
     PHOENIX_MAX_RETRIES,
     type EvaluatorName,
-    sanitizeHeaderValue,
+    sanitizeEnvValue,
     validatePhoenixEnvVars
 } from './config.js';
 
@@ -78,9 +78,6 @@ const argv = yargs(hideBin(process.argv))
     .epilogue('  npm run evals:run -- --dataset-name custom_v1  # Via npm script')
     .parseSync() as CliArgs;
 
-// Sanitize secrets early to avoid invalid header characters in CI
-process.env.OPENROUTER_API_KEY = sanitizeHeaderValue(process.env.OPENROUTER_API_KEY);
-
 // Tools match evaluator: returns score 1 if expected tool_calls match output list, 0 otherwise
 const toolsExactMatch = asEvaluator({
     name: EVALUATOR_NAMES.TOOLS_EXACT_MATCH,
@@ -197,7 +194,7 @@ async function main(datasetName: string): Promise<number> {
     const client = createClient({
         options: {
             baseUrl: process.env.PHOENIX_BASE_URL!,
-            headers: { Authorization: `Bearer ${sanitizeHeaderValue(process.env.PHOENIX_API_KEY)}` },
+            headers: { Authorization: `Bearer ${sanitizeEnvValue(process.env.PHOENIX_API_KEY)}` },
         },
     });
 

evals/shared/config.ts

@@ -8,8 +8,8 @@
  * OPENROUTER_BASE_URL is optional and defaults to the standard OpenRouter API URL
  */
 export const OPENROUTER_CONFIG = {
-    baseURL: process.env.OPENROUTER_BASE_URL || 'https://openrouter.ai/api/v1',
-    apiKey: process.env.OPENROUTER_API_KEY || '',
+    baseURL: sanitizeEnvValue(process.env.OPENROUTER_BASE_URL) || 'https://openrouter.ai/api/v1',
+    apiKey: sanitizeEnvValue(process.env.OPENROUTER_API_KEY) || '',
 };
 
 /**
@@ -23,10 +23,10 @@ export function getRequiredEnvVars(): Record<string, string | undefined> {
 }
 
 /**
- * Removes newlines and trims whitespace. Useful for Authorization header values
- * because CI secrets sometimes include trailing newlines or quotes.
+ * Removes newlines, trims whitespace, and strips surrounding quotes from env values.
+ * CI secrets often include trailing newlines or quotes that break HTTP headers and URLs.
  */
-export function sanitizeHeaderValue(value?: string): string | undefined {
+export function sanitizeEnvValue(value?: string): string | undefined {
     if (value == null) return value;
     return value.replace(/[\r\n]/g, '').trim().replace(/^"|"$/g, '');
 }

evals/workflows/config.ts

@@ -6,7 +6,7 @@
  */
 
 // Re-export shared config for convenience
-export { OPENROUTER_CONFIG, sanitizeHeaderValue, validateEnvVars } from '../shared/config.js';
+export { OPENROUTER_CONFIG, sanitizeEnvValue, validateEnvVars } from '../shared/config.js';
 
 /**
  * Default model configuration for agent and judge

evals/workflows/run_workflow_evals.ts

@@ -21,7 +21,7 @@ import { hideBin } from 'yargs/helpers';
 import { filterByLineRanges } from '../shared/line_range_filter.js';
 import type { LineRange } from '../shared/line_range_parser.js';
 import { checkRangesOutOfBounds, parseLineRanges, validateLineRanges } from '../shared/line_range_parser.js';
-import { DEFAULT_TOOL_TIMEOUT_SECONDS, MODELS } from './config.js';
+import { DEFAULT_TOOL_TIMEOUT_SECONDS, MODELS, sanitizeEnvValue } from './config.js';
 import { executeConversation } from './conversation_executor.js';
 import { LlmClient } from './llm_client.js';
 import { McpClient } from './mcp_client.js';
@@ -211,8 +211,8 @@ async function main() {
     console.log();
 
     // Check environment variables
-    const apifyToken = process.env.APIFY_TOKEN;
-    const openrouterKey = process.env.OPENROUTER_API_KEY;
+    const apifyToken = sanitizeEnvValue(process.env.APIFY_TOKEN);
+    const openrouterKey = sanitizeEnvValue(process.env.OPENROUTER_API_KEY);
 
     if (!apifyToken) {
         console.error('❌ Error: APIFY_TOKEN environment variable is required');

tests/unit/evals.config.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, it } from 'vitest';
+
+import { sanitizeEnvValue } from '../../evals/shared/config.js';
+
+describe('sanitizeEnvValue', () => {
+    it('returns undefined for undefined', () => {
+        expect(sanitizeEnvValue(undefined)).toBeUndefined();
+    });
+
+    it('returns null for null', () => {
+        expect(sanitizeEnvValue(null as unknown as undefined)).toBeNull();
+    });
+
+    it('strips trailing newline', () => {
+        expect(sanitizeEnvValue('sk-abc123\n')).toBe('sk-abc123');
+    });
+
+    it('strips carriage-return + newline', () => {
+        expect(sanitizeEnvValue('sk-abc123\r\n')).toBe('sk-abc123');
+    });
+
+    it('strips embedded newlines', () => {
+        expect(sanitizeEnvValue('sk-\nabc\r\n123\n')).toBe('sk-abc123');
+    });
+
+    it('trims surrounding whitespace', () => {
+        expect(sanitizeEnvValue('  sk-abc123  ')).toBe('sk-abc123');
+    });
+
+    it('strips surrounding double quotes', () => {
+        expect(sanitizeEnvValue('"sk-abc123"')).toBe('sk-abc123');
+    });
+
+    it('strips only outer quotes (not inner)', () => {
+        expect(sanitizeEnvValue('"sk-"abc"-123"')).toBe('sk-"abc"-123');
+    });
+
+    it('does not strip single quotes', () => {
+        expect(sanitizeEnvValue("'sk-abc123'")).toBe("'sk-abc123'");
+    });
+
+    it('handles combined whitespace, newlines, and quotes', () => {
+        expect(sanitizeEnvValue('  "sk-abc123"\n')).toBe('sk-abc123');
+    });
+
+    it('returns empty string for empty input', () => {
+        expect(sanitizeEnvValue('')).toBe('');
+    });
+
+    it('is idempotent', () => {
+        const value = '  "sk-abc123"\r\n';
+        expect(sanitizeEnvValue(sanitizeEnvValue(value))).toBe(sanitizeEnvValue(value));
+    });
+});