#23009: Onboard: persist env-backed API keys as secret refs

## Summary - route onboarding API-key persistence through shared credential builders that can emit either plaintext `key` or `keyRef` - add env-ref detection for API key inputs via: - explicit `${ENV_VAR}` syntax - value match against provider-known env vars (for example `OPENAI_API_KEY`) - when an env-backed value is detected, persist `keyRef: { source: "env", id: "ENV_VAR" }` instead of plaintext in auth profiles - keep backward compatibility: if no env match/ref is found, onboarding keeps writing plaintext keys exactly as before ## Scope Boundary - no runtime resolution behavior changes in this PR (activation/failover remains in earlier stack PRs) - no provider-specific onboarding flow migration in this PR (handled in follow-up PRs) ## Validation - `pnpm check` - `pnpm vitest run src/commands/onboard-auth.credentials.test.ts` <!-- greptile_comment --> <h3>Greptile Summary</h3> Routes API key persistence through a unified credential builder that detects environment-backed values and persists them as `keyRef` instead of plaintext. Supports both explicit `${ENV_VAR}` syntax and automatic detection via value matching against provider-specific environment variables. Maintains backward compatibility by falling back to plaintext storage when no environment reference applies. - refactored 18 provider-specific API key setters to use shared `buildApiKeyCredential` helper - added `resolveApiKeySecretInput` to detect and convert env-backed values to `SecretRef` objects - added provider-to-env-var mapping for 17 providers (anthropic, google, moonshot, etc.) - added comprehensive test coverage for env reference detection, explicit `${ENV}` syntax, plaintext fallback, and metadata preservation <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - Well-structured refactoring with comprehensive test coverage, proper type safety, secure handling of secret references, and maintained backward compatibility. No logical errors or security issues identified. - No files require special attention _{Last reviewed commit: cc60609} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->