Would it make sense to allow specifying the environment variables in the config (in something like codeQL.autofix.env)?

I'm not sure I'm understanding how to specify these in the config. i.e. Are you suggesting specifying the API key for CAPI_DEV_KEY directly in the settings.json file (is that safe)? Or specifying the path to a local file where the API key is stored? Or something else?

I don't think we want to add the secret as a config setting. There are ways of adding secrets securely, but I think just keeping it as an env var is fine. Much simpler. Just please be sure to document.

There are some complications if you are using a codespace. I'm not sure how it would work. Can you inject env vars into it?

As for the PATH variable. I'm not sure if it makes sense either.

I agree that we probably don't want to add the secret in the config file, but allowing you to set custom environment variables might still be useful, for example an ENVIRONMENT environment variable. We could also just pass through all of process.env to set custom environment variables though.

I'm not sure exactly how VS Code picks up environment variables, but it seems like it's possible to specify secrets when using Codespaces: Using secrets.

I think stdio: [0, 1, 2] will ensure that the autofix CLI logs to the stdout/stderr of VS Code, but I don't think you can view those. I think it would make sense to log those to the extension logs. A good example of this can be found in runCodeQlCliInNewProcess, specifically in handleProcessOutput.

We're using tar-stream elsewhere for extracting tarballs. It would be better to use something like that instead of spawning a new process.

Just be aware that tar-stream is currently a dev dependency and would need to be moved to a dependency.