Strip provider API keys from cogitate CLI subprocess environment
Cogitate agents spawning CLI tools (claude, codex, gemini) inherited
API keys from .env, bypassing each CLI's native platform auth. Now
build_cogitate_env() strips the provider's key by default so CLIs use
their own account-based auth. Configurable per-provider via
providers.auth in journal config (default: "platform", opt-in: "api_key").
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>