sec(router): deprecate plaintext api_key field in route config YAML

[cluster2600]

Summary

RouteConfig in crates/openshell-router/src/config.rs (lines 26–28) accepts api_key directly as a YAML field alongside the more secure api_key_env (which reads from environment variables). This means real API keys could end up in config files on disk.

The ResolvedRoute struct does have a custom Debug impl that redacts the api_key field (line 56: .field("api_key", &"[REDACTED]")), preventing accidental logging — which is good.

Impact

• Severity: Medium
• Config files containing plaintext API keys may be committed to version control, included in backups, or exposed through file access.

Proposed Fix

1. Emit a warning when plaintext api_key is used in config files
2. Consider deprecating the api_key field in favour of api_key_env only
3. Document the security implications in the config reference

[johntmyers]

Security triage determination: No-go (operator hardening preference, not a security defect).

Allowing api_key inline in route config is a product tradeoff for local/managed operator workflows. The system already supports api_key_env, and debug output redacts resolved keys. This ticket does not demonstrate unauthorized access or privilege escalation in core components.

Treat as configuration hygiene/documentation improvement if desired, not a security bug.