This guide covers the full details of how FinalRun resolves environment variables, secrets, and AI provider API keys. For a quick summary, see the README. For workspace config and app identity, see configuration.md.
Workspace root is the folder that contains .finalrun/. FinalRun finds it by walking up from your shell's current directory, so dotenv paths are anchored to that root (not to cwd when you run from a subfolder).
my-app/ # workspace root
.env # optional; shared defaults (do not commit)
.env.dev # optional; values when using env name "dev" (do not commit)
.finalrun/
config.yaml
env/
dev.yaml # declares placeholder bindings only
tests/
smoke.yaml
.env— optional; values merged for all runs (see load order below)..env.<name>— optional; used when that environment is active (e.g..env.devfor--env devorenv: devin.finalrun/config.yaml). The name matches.finalrun/env/<name>.yaml.
Declares secrets as placeholders like ${TEST_USER_EMAIL} and variables as plain values. The CLI resolves each secrets placeholder from the shell environment and from workspace-root .env / .env.<name>. Do not put real secrets inside this YAML.
secrets:
email: ${TEST_USER_EMAIL}
password: ${TEST_USER_PASSWORD}
variables:
locale: en-USFor a resolved environment name N, the CLI loads variables in this order:
.env.N— environment-specific dotenv file.env— fills in any keys not already setprocess.env— wins if the same name is set in both a file and the shell environment
This single workspace-root dotenv setup is used for:
- Resolving
secretsmappings declared in.finalrun/env/*.yaml(from${ENV_VAR}placeholders), which are referenced as${secrets.*}in test specs. - Reading AI provider API keys (
OPENAI_API_KEY,GOOGLE_API_KEY,ANTHROPIC_API_KEY) forfinalrun testandfinalrun suite.
When no FinalRun environment is in use (env-free workspace), the CLI does not require a .env.N file for YAML bindings; you can still use process.env or .env for keys if applicable.
FinalRun resolves API keys by provider prefix:
| Provider prefix | Environment variable |
|---|---|
openai/... |
OPENAI_API_KEY |
google/... |
GOOGLE_API_KEY |
anthropic/... |
ANTHROPIC_API_KEY |
Keys are read from process.env and from workspace-root .env / .env.<name>. You can also pass --api-key to override.
Do not commit .env files. Add the following to your app repository's .gitignore:
.env
.env.*
!.env.exampleThis ignores .env, .env.dev, .env.staging, and similar while keeping .env.example tracked as a template.
adbavailable throughANDROID_HOME,ANDROID_SDK_ROOT, orPATHemulatoronPATH; the current Android preflight requires it to discover and boot Android Virtual DevicesscrcpyonPATH— required by FinalRun for Android screen recording during local runs- FinalRun Android driver assets — bundled automatically by the published CLI during installation
- macOS
- Xcode command line tools with
xcrun xcrun simctlunzip/bin/bashplutil- Bundled FinalRun iOS driver archives present; the published CLI installs them automatically
ffmpegcompresses iOS recordings after captureapplesimutilsenables simulator permission helperslsof,ps, andkillhelp with stale iOS driver cleanup
Verify local host readiness with:
finalrun doctor
finalrun doctor --platform android
finalrun doctor --platform ios