feat: Support CLI flag to discard env vars with empty value

[korya]

Instead of failing.

This eliminates the need to wrap lk invocations with custom logic for manually filtering out such values. For example, this is a real script for deploying using lk agent deploy:

rm -f .env.lk
sed '/^#/d' .env | grep -vE '^[A-Za-z_][A-Za-z0-9_]*=$' > .env.lk
lk agent deploy --secrets-file .env.lk

With the flag, this would be just:

lk agent deploy --secrets-file .env --ignore-empty-vars

Related:

• Cannot create agent when .env contains empty vars #678
• better error message when secrets are malformed #724

Summary by CodeRabbit

Release Notes

• New Features

  • Added --ignore-empty-secrets CLI flag to skip empty secret values during processing instead of raising an error.
  • Includes logging of skipped secrets to inform users which secrets were excluded (respects silent mode).

• Tests

  • Added comprehensive test coverage for secret handling with various configuration combinations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

All committers have signed the CLA.

[korya]

@real-danm @yoonsio Guys any feedback on this? If you believe that it is not needed then just close it.

[real-danm]

lgtm, thanks for the submission!

[korya]

@real-danm @yoonsio @rektdeckard Guys, any chance of merging this PR? The problem it solved is not urgent or critical but super annoying.

[yoonsio]

@korya Could you update the flag from ignore-empty-vars to ignore-empty-secrets? Otherwise looks great!

[coderabbitai]

📝 Walkthrough

Walkthrough

A new --ignore-empty-secrets CLI flag is added to handle empty secret values during secret parsing. When enabled, empty secrets are skipped instead of causing errors. A new test file comprehensively validates the secret-handling logic across multiple scenarios.

Changes

Cohort / File(s)	Summary
Flag & Logic Implementation cmd/lk/agent.go	Introduces ignoreEmptySecretsFlag variable and wires the --ignore-empty-secrets flag into secret-handling commands. Adds conditional logic to skip empty secret values when the flag is set, otherwise returns an error. Includes post-processing to log skipped secrets.
Test Coverage cmd/lk/agent_test.go	New test file with buildTestCommand helper and table-driven tests for requireSecrets(). Covers scenarios: empty/non-empty secrets with/without the flag, .env files, inline secrets, error conditions, silent mode, and inline secret precedence over file-based secrets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A flag hops in, so sleek and fine,
Empty secrets? Skip them—no more whine!
Tests multiply, scenarios abound,
With silent hops and logic sound.
Secrets march on, ever more aligned! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main change: adding a CLI flag to handle empty environment variables by discarding them, which matches the primary purpose of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86d6dde and 691fe52.

📒 Files selected for processing (2)

• cmd/lk/agent.go
• cmd/lk/agent_test.go

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/lk/agent.go (1)

pkg/util/theme.go (1)

• Dimmed (33-35)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test (windows-latest)
• GitHub Check: test (macos-latest)

🔇 Additional comments (6)

cmd/lk/agent.go (3)

162-170: Flag wiring across secrets-related commands looks consistent.

Nice coverage ensuring create/deploy/update/update-secrets all accept the new flag.

Also applies to: 207-214, 235-240, 330-335

---

1299-1327: Skip-empty handling and guidance are clear.

The conditional skip logic plus the explicit error message (when not ignoring) provides a good UX.

---

80-85: No flag name mismatch found.

The commit message and implementation consistently use --ignore-empty-secrets throughout. No reference to --ignore-empty-vars exists in the PR commit message or codebase. The alias suggestion is unnecessary.

Likely an incorrect or invalid review comment.

cmd/lk/agent_test.go (3)

27-90: Test harness setup is clear and self-contained.

Capturing the parsed command state makes the tests easy to reason about.

---

92-284: Comprehensive table-driven coverage for ignore-empty-secrets behavior.

Scenarios cover empty values, silent mode, required/lazy paths, and error messaging.

---

286-309: Inline-overrides-file precedence is well validated.

Good to see explicit coverage of inline secrets superseding file values.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[korya]

@korya Could you update the flag from ignore-empty-vars to ignore-empty-secrets? Otherwise looks great!

Great, thanks! Made the requested changes.

[yoonsio]

LGTM