What happens
When we load an .afm.md file, the code first does a find-and-replace for ${env:...}
variables on the raw text, and then parses the YAML. Because the value is pasted in as
plain text before parsing, if the value has characters that mean something in YAML (like a
: or a new line), it can break parsing or change the config in ways the author didn't write.
Example
Say the file has:
model:
name: gpt-4o
authentication:
type: bearer
token: ${env:TOKEN}If TOKEN is something like abc: def (a normal-looking secret), after substitution the
text becomes:
Now there are two colons on one line, so YAML fails with:
Invalid YAML in frontmatter: mapping values are not allowed here
Even though the secret itself is perfectly fine.
A worse case: if an env value contains a new line, it can add extra YAML keys that were never
in the file. For example a value like openai\n url: http://something ends up adding a
url: field under model, which wasn't written by the author.
Why this is a problem
- Real secrets/tokens can contain special characters, so loading can fail for no obvious reason.
- In setups where the env values are set somewhere else (CI, a deploy platform, etc.), a value
could end up changing the config in unexpected ways.
Steps to reproduce
- Set an env var with a colon in it, e.g.
TOKEN="abc: def".
- Use it in the frontmatter as
token: ${env:TOKEN}.
- Load the file → YAML parse error.
Possible fix (idea)
Parse the YAML first and then resolve the variables on the values, so the value is always
treated as plain text and not as part of the YAML structure.
What happens
When we load an
.afm.mdfile, the code first does a find-and-replace for${env:...}variables on the raw text, and then parses the YAML. Because the value is pasted in as
plain text before parsing, if the value has characters that mean something in YAML (like a
:or a new line), it can break parsing or change the config in ways the author didn't write.Example
Say the file has:
If
TOKENis something likeabc: def(a normal-looking secret), after substitution thetext becomes:
Now there are two colons on one line, so YAML fails with:
Even though the secret itself is perfectly fine.
A worse case: if an env value contains a new line, it can add extra YAML keys that were never
in the file. For example a value like
openai\n url: http://somethingends up adding aurl:field undermodel, which wasn't written by the author.Why this is a problem
could end up changing the config in unexpected ways.
Steps to reproduce
TOKEN="abc: def".token: ${env:TOKEN}.Possible fix (idea)
Parse the YAML first and then resolve the variables on the values, so the value is always
treated as plain text and not as part of the YAML structure.