feat(cli): add /env to list agent-code-relevant environment variables

[emal-avala]

Summary

Adds `/env` — shows only the environment variables agent-code actually reads.

• Config overrides: `AGENT_CODE_API_BASE_URL`, `AGENT_CODE_MODEL`, `AGENT_CODE_CONFIG`
• Provider API keys: `AGENT_CODE_API_KEY` + 12 provider-native keys (Anthropic, OpenAI, xAI, Google, DeepSeek, Groq, Mistral, Zhipu, Together, OpenRouter, Cohere, Perplexity)
• Runtime / logging: `RUST_LOG`, `RUST_BACKTRACE`, `NO_COLOR`, `CLICOLOR_FORCE`
• Shell context: `SHELL`, `TERM`, `EDITOR`

Masking: anything ending `_API_KEY`, `_TOKEN`, or `_SECRET` is displayed as `(N chars, ends in …xxxx)` — enough to confirm the right key is set without leaking it into a screenshare or transcript. Values ≤4 chars are fully masked.

Variables that aren't set are omitted. Tail note tells users "set but not listed variables are not read by agent-code" — important for troubleshooting.

Why

Two common troubleshooting questions this answers:

1. "Is my API key actually set in the env this process sees?" (masking confirms length + suffix)
2. "Why is this config value being overridden?" (shows the AGENT_CODE_* overrides in one place)

Previously these required `env | grep ANTHROPIC` / mental model of which vars matter.

Test plan

• `cargo fmt --all` clean
• `cargo check` passes
• `cargo clippy --no-deps` clean
• `cargo test --bin agent commands::tests` (12 tests total; 3 new for is_secret_var classification + mask_secret length/tail guarantees + short-value safety)
• Manual: `ANTHROPIC_API_KEY=sk-abc123... /env` shows `(N chars, ends in …c123)`, not the raw key
• Manual: `/env` with nothing set prints "none of the tracked variables are set"

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.