> Assuming a doas.conf with "keepenv" somewhere appropriate, the first
> of any dupliate is selected by doas, while the last is selected by
> su.

I don't think su is doing anything here.  It just calls execv.  It does
not manipulate the environment.

Based upon your other tests, the duplicated environment makes it through
the kernel, which should not put effort into identifying the situation
or adjusting it.  It just validates space, then copies the array to
the new stack.

> Should this be made consistent between the two? (Shells and
> languages also vary here, though I haven't found any that pick only
> the middle, yet.)

		$ dupenv FOO=first FOO=middle FOO=last env | grep FOO
		FOO=first
		FOO=middle
		FOO=last
		$ dupenv FOO=first FOO=middle FOO=last doas env | grep FOO
		FOO=first
		$ dupenv FOO=first FOO=middle FOO=last su
		Password:
		$ env | grep FOO
		FOO=last

I think your shell is ksh.

Looking at some code, I find that during initialization, in ksh/main.c
there is:

        /* import environment */
        if (environ != NULL)
                for (wp = environ; *wp != NULL; wp++)
                        typeset(*wp, IMPORT|EXPORT, 0, 0, 0);

Then looking at the typeset() function, it doesn't care if there
is a previous import of the variable, it will replace it, and thus look
like 'last pick' to you.

doas, on the other hand, is definately first match:

                        if (RB_INSERT(envtree, &env->root, node)) {
                                /* ignore any later duplicates */

I have a hard time believing that doas should be changed.

I'm not sure a consistancy for this is achievable in practice.  There
will always be outliers, right?