fix(llm): rename APIKeyEnv to EnvVar (CodeQL fix)

[bussyjd]

Summary

• Renames ProviderStatus.APIKeyEnv to ProviderStatus.EnvVar in internal/llm/llm.go and updates the two references in cmd/obol/llm.go

Context

CodeQL flagged APIKeyEnv as sensitive data flowing to fmt.Printf at cmd/obol/llm.go:78. The field only stores the env var name (e.g. "ANTHROPIC_API_KEY"), not the actual secret — but the APIKey substring in the field name triggers CodeQL's taint heuristic.

Fix: https://github.com/ObolNetwork/obol-stack/runs/63785905429

Test plan

• go build ./cmd/obol passes
• go test ./... — 28/28 pass
• Live inference verified (llmspy + OpenClaw + Traefik chain)

[bussyjd]

Security Audit: Clear-Text Logging of Sensitive Information

A security audit was performed to assess whether the CodeQL finding is legitimate and whether other sensitive data logging patterns exist in the codebase.

CodeQL Finding (cmd/obol/llm.go:78) — FALSE POSITIVE

ProviderStatus.APIKeyEnv (now renamed to EnvVar) stores environment variable names (e.g. "ANTHROPIC_API_KEY"), never the actual secret value. The data flow:

providerEnvKeys["anthropic"] = "ANTHROPIC_API_KEY"  →  ProviderStatus.EnvVar  →  fmt.Printf()

Printing the name of an environment variable is non-sensitive. The APIKey substring in the old field name triggered CodeQL's taint heuristic. Renaming to EnvVar resolves the false positive.

---

Broader Audit — Pre-existing Findings (not introduced by this PR)

The audit checked all files in internal/llm/, internal/openclaw/, and cmd/obol/ for sensitive data logging patterns.

Severity	File	Line	Issue	Introduced by
HIGH	internal/openclaw/openclaw.go	714	fmt.Printf("Gateway token: %s\n", token) — prints actual gateway token to terminal	Pre-existing
HIGH	internal/openclaw/openclaw.go	711	Dashboard URL with embedded token: http://localhost:PORT/#token=<TOKEN> printed to stdout	Pre-existing
HIGH	internal/llm/llm.go	53	API key embedded in kubectl patch command args — visible in /proc/PID/cmdline while running	Pre-existing
MODERATE	internal/openclaw/openclaw.go	975	Token passed as --token CLI arg to openclaw binary — visible in ps output	Pre-existing
MODERATE	internal/openclaw/openclaw.go	1315	API key input not suppressed (echoed to terminal during interactive prompt)	Pre-existing
OK	internal/openclaw/openclaw.go	1480	collectSensitiveData() properly zeroes API keys/tokens after extraction	PR #161 (good)

Positive Patterns

• collectSensitiveData() correctly strips literal secrets from ImportResult before overlay YAML generation
• writeUserSecretsFile() uses 0600 permissions for the local secrets file
• HasAPIKey field stores a boolean, not the key itself
• EnvVar field stores the env var name, not the value

Recommendations (separate follow-up)

1. Gateway token logging (openclaw.go:711-714): Replace fmt.Printf("Gateway token: %s\n", token) with a reference to obol openclaw token <id>
2. kubectl patch args (llm.go:53): Pass patch JSON via stdin instead of -p flag to avoid /proc exposure
3. Interactive API key input (openclaw.go:1315): Use golang.org/x/term.ReadPassword() to suppress echo

Verdict

This PR is clean. The rename from APIKeyEnv to EnvVar correctly resolves the CodeQL false positive. The high-severity findings are pre-existing and should be addressed in a separate PR.