fix(langfuse): reject placeholder credentials

[LeonSGP43]

What does this PR do?

Detects obvious placeholder Langfuse credentials and fails loudly instead of silently treating the plugin as configured.

Related Issue

Fixes #22763

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• add placeholder-value detection helpers in plugins/observability/langfuse/__init__.py
• warn and short-circuit initialization when public/secret keys are obvious placeholders
• extend tests/plugins/test_langfuse_plugin.py with a regression test for placeholder credentials

How to Test

1. Run UV_PYTHON=3.11 /Library/Frameworks/Python.framework/Versions/3.10/bin/uv run --frozen pytest -q -o addopts='' tests/plugins/test_langfuse_plugin.py
2. Run UV_PYTHON=3.11 /Library/Frameworks/Python.framework/Versions/3.10/bin/uv run --frozen ruff check plugins/observability/langfuse/__init__.py tests/plugins/test_langfuse_plugin.py
3. Verify _get_langfuse() returns None and logs a warning when LANGFUSE_PUBLIC_KEY / LANGFUSE_SECRET_KEY are placeholder values

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS 15.x

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

• 8 passed in 0.59s
• ruff check passed for the touched Langfuse files

[kshitijk4poor]

Thanks @LeonSGP43 — closing as a duplicate of #23831 (now landed via salvage #26320).

Both PRs target the same bug (#22763 / #23823: placeholder Langfuse credentials silently drop traces). The differentiating choice was approach:

• This PR uses a hardcoded blacklist of ~12 known placeholder strings.
• Fix/langfuse placeholder key warning #23831 uses a prefix whitelist against the documented pk-lf- / sk-lf- prefixes that Langfuse bakes into every issued key.

The whitelist approach catches strictly more cases — values like your-langfuse-key, <your-key>, REPLACE_ME, change-me, xxx, dummy-key-here would slip past the blacklist. It also gives a better log message (names the offending env var, shows a redacted preview, points at the expected prefix) and is more robust to future .env.example template variations.

Sorry for the missed credit — your PR predates #23831 by 1 day and reflects real diagnostic work. Closing here for hygiene; the issue is now fixed on main.