chore: clone config.env in genEnv to prevent shared-object mutation

[joonas]

Description

genEnv deleted config.env["PEPR_WATCH_MODE"] directly from the caller's ModuleConfig reference. Since the same config object is passed twice (once for the admission deployment and once for the watcher deployment) the first call permanently removed the key. Any code reading config.env after the first genEnv call would no longer see PEPR_WATCH_MODE.

Shallow-clone config.env into a local cfg object and delete the key from the clone instead. This preserves the original config while still preventing a user-supplied PEPR_WATCH_MODE from overriding the programmatic value controlled by the watchMode parameter.

Both regression tests assert config.env identity via snapshot comparison rather than checking genEnv return values. The def object always supplies PEPR_WATCH_MODE from the watchMode parameter, so output-based assertions pass even with the mutation bug present. Existing tests already cover output correctness for each mode.

End to End Test:
(See Pepr Excellent Examples)

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Unit, Integration, docs, adr added or updated as needed
• Contributor Guide Steps followed

[samayer12]

@greptileai

[greptile-apps]

Greptile Summary

This PR fixes a shared-object mutation bug in genEnv where PEPR_WATCH_MODE was deleted directly from the caller's config.env reference. Because the same ModuleConfig is passed to genEnv for both the admission and watcher deployments, the first call silently stripped the key from the shared object.

• Fix (environment.ts): Shallow-clone config.env into a local cfg variable before deleting PEPR_WATCH_MODE, so the original object is never touched.
• Tests (environment.test.ts): Two regression tests added — one verifying a single call leaves config.env intact, and one simulating the real two-call pattern (admission then watcher) that triggered the original bug.

Confidence Score: 5/5

Safe to merge — the change is a minimal, well-targeted clone-before-delete that eliminates an object mutation without touching any other logic.

The fix is a single-line shallow clone that confines the PEPR_WATCH_MODE delete to a local copy of config.env. The logic for building the final env array is unchanged. Two new regression tests directly reproduce the two-call admission+watcher pattern that exposed the original bug, and existing tests continue to cover output correctness for every mode.

No files require special attention.

Important Files Changed

Filename	Overview
src/lib/assets/environment.ts	Shallow-clones config.env before deleting PEPR_WATCH_MODE, preventing mutation of the caller's shared config object.
src/lib/assets/environment.test.ts	Adds two targeted regression tests: single-call immutability and two-call (admission + watcher) immutability of config.env.

_{Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/environment..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.57%. Comparing base (8f32c8e) to head (704c517).
⚠️ Report is 33 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2981      +/-   ##
==========================================
+ Coverage   77.43%   77.57%   +0.13%     
==========================================
  Files          93       93              
  Lines        2535     2582      +47     
  Branches      532      544      +12     
==========================================
+ Hits         1963     2003      +40     
- Misses        445      452       +7     
  Partials      127      127              

Files with missing lines	Coverage Δ
src/lib/assets/environment.ts	100.00% <100.00%> (ø)

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AmberFryar]

Moving to an upstream branch #3103 to fix CI secrets access. Cherry-picked with original authorship preserved.