Certain toolchains expect certain environment variables to be set in order to do their jobs properly. The problem I was facing that lead to this issue is using a wrapped clang provided via Nix on macOS. The Nix-provided clang on my machine needed the following two environment variables (which are normally in my environment via nix magic, but were filtered by hooks_runner) in order to have my build hook executed correctly:

'NIX_CC_WRAPPER_TARGET_HOST_arm64_apple_darwin': '1',
'NIX_LDFLAGS':
  ' -L/nix/store/7862xphb8a6sxwx5g2mqbp19jbmdjcgr-protobuf-31.1/lib -L/nix/store/p3802ll9skds56grk4i6p4j8r3srz2fj-abseil-cpp-20250512.1/lib -L/nix/store/nzvfa327cd5gan08ijkn465kbanbizpg-libcxx-19.1.7/lib -L/nix/store/92d9hckw1c31h2f60pdi4w5gq9mkqk71-compiler-rt-libc-19.1.7/lib -L/nix/store/lcpbdhaw5yrw96kghpq9d5z0cfq4ljq5-libiconv-109/lib -L/nix/store/y6frq21br4n8z8hzx4pr5j3lpd90wpv4-libresolv-83/lib -L/nix/store/872rlc1gn93ixb54yxi6z5kaxvkljbi7-libsbuf-14.1.0/lib -L/nix/store/pi9b6kmgdp8gsb6kiq5l5fq69753icw7-libutil-72/lib -L/nix/store/7862xphb8a6sxwx5g2mqbp19jbmdjcgr-protobuf-31.1/lib -L/nix/store/p3802ll9skds56grk4i6p4j8r3srz2fj-abseil-cpp-20250512.1/lib -L/nix/store/nzvfa327cd5gan08ijkn465kbanbizpg-libcxx-19.1.7/lib -L/nix/store/92d9hckw1c31h2f60pdi4w5gq9mkqk71-compiler-rt-libc-19.1.7/lib -L/nix/store/lcpbdhaw5yrw96kghpq9d5z0cfq4ljq5-libiconv-109/lib -L/nix/store/y6frq21br4n8z8hzx4pr5j3lpd90wpv4-libresolv-83/lib -L/nix/store/872rlc1gn93ixb54yxi6z5kaxvkljbi7-libsbuf-14.1.0/lib -L/nix/store/pi9b6kmgdp8gsb6kiq5l5fq69753icw7-libutil-72/lib',

This is problematic, as:

• I doubt the naming of these two environment variables is guaranteed, so we probably shouldn't just add to the allowlist (see below)
  • And who's to say there aren't other special environment variables out there?
• My build hook fails without these exact env vars in place
• hooks_runner filters out these env vars when invoking my build script

I'm honestly not sure on the best fix here, as I don't know why environment variable filtering was implemented at the start (I'm sure there's a good reason, I just don't know it).

CC @dcharkes, hoping you can shed some light on this.

For context, this is where the filtering happens:

And this is where the allowlist is defined.

Thanks in advance!!

side note: if environment variable filtering is a must, perhaps we can just allow NIX_* to pass through the filter? But I'm frankly wondering if some future user will run into the same issue using some different toolchain.