fix: use ANTHROPIC_AUTH_TOKEN for Claude CLI env injection

- Change env var from ANTHROPIC_API_KEY to ANTHROPIC_AUTH_TOKEN
- Add Backend field propagation in taskSpec (cli.go)
- Add stderr logging for injected env vars with API key masking
- Add comprehensive tests for env injection flow

Generated with SWE-Agent.ai

Co-Authored-By: SWE-Agent.ai <noreply@swe-agent.ai>

codeagent-wrapper/internal/executor/executor.go

@@ -1067,6 +1067,12 @@ func RunCodexTaskWithContext(parentCtx context.Context, taskSpec TaskSpec, backe
 		}
 		if injected := envBackend.Env(baseURL, apiKey); len(injected) > 0 {
 			cmd.SetEnv(injected)
+			// Log injected env vars with masked API keys (to file and stderr)
+			for k, v := range injected {
+				msg := fmt.Sprintf("Env: %s=%s", k, maskSensitiveValue(k, v))
+				logInfoFn(msg)
+				fmt.Fprintln(os.Stderr, "  "+msg)
+			}
 		}
 	}
 
@@ -1449,3 +1455,19 @@ func terminateCommand(cmd commandRunner) *forceKillTimer {
 
 	return &forceKillTimer{timer: timer, done: done}
 }
+
+// maskSensitiveValue masks sensitive values like API keys for logging.
+// Values containing "key", "token", or "secret" (case-insensitive) are masked.
+// For values longer than 8 chars: shows first 4 + **** + last 4.
+// For shorter values: shows only ****.
+func maskSensitiveValue(key, value string) string {
+	keyLower := strings.ToLower(key)
+	if strings.Contains(keyLower, "key") || strings.Contains(keyLower, "token") || strings.Contains(keyLower, "secret") {
+		if len(value) > 8 {
+			return value[:4] + "****" + value[len(value)-4:]
+		} else if len(value) > 0 {
+			return "****"
+		}
+	}
+	return value
+}