feat(runtime): add runtimeEnv config for CLI process environment variables

[alexey-pelykh]

Problem

CLI runtimes (ClaudeCliRuntime, GeminiCliRuntime, CodexCliRuntime, OpenCodeCliRuntime) have buildEnv() methods that return empty objects. There is no way to inject environment variables (API keys, OAuth tokens, custom config) into spawned CLI processes via configuration.

If the CLI binary is not independently authenticated on the host, agent runs silently fail with no output.

Solution

Add runtimeEnv to AgentDefaultsConfig as a sibling to the existing runtime and runtimeArgs fields:

{
  "agents": {
    "defaults": {
      "runtime": "claude",
      "runtimeArgs": ["--dangerously-skip-permissions"],
      "runtimeEnv": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

Implementation

• Add runtimeEnv?: Record<string, string> to AgentDefaultsConfig
• Add resolveCliRuntimeEnv() in runtime-factory.ts (parallel to resolveCliRuntimeArgs())
• Thread runtimeEnv through to AgentExecuteParams.env in ChannelBridge
• CLIRuntimeBase.execute() already merges params.env into the spawn environment (line 54)
• Each runtime's buildEnv() can remain {} — config-driven env is the intended mechanism

Why not wire auth profiles into buildEnv()?

The auth profile system (auth-profiles.json, resolveApiKeyForProvider()) serves RemoteClaw's own internal API calls (media understanding, status display). CLI credential injection is a different concern — users should explicitly configure what env vars their CLI gets. runtimeEnv is transparent, works for any CLI/provider/auth mechanism, and doesn't couple the runtime layer to auth profile internals.

Related

• fix(middleware): CLIRuntimeBase silently discards stderr when CLI exits with error #374 — CLIRuntimeBase silently discards stderr (makes auth failures invisible)
• The auth profile system itself is targeted for removal in a separate gut issue