bug: spawn fix silently injects empty API keys into remote VMs

[la14-1]

Bug

spawn fix silently writes empty API keys into ~/.spawnrc on the remote VM, then reports success.

Root Cause

buildFixScript() in packages/cli/src/commands/fix.ts resolves env templates like ${OPENROUTER_API_KEY} directly from process.env. But most users authenticate via OAuth — their key is saved in ~/.config/spawn/openrouter.json, not in process.env.OPENROUTER_API_KEY.

The normal provisioning flow (orchestrate.ts) calls getOrPromptApiKey() which loads the saved key into process.env before generating env config. spawn fix skips this entirely.

User Impact

User runs spawn fix to refresh credentials on a running VM. The command prints "fixed successfully!" but the agent now has empty API keys and fails with auth errors on the next prompt. No warning shown.

Fix

In fixSpawn() (fix.ts), call getOrPromptApiKey() before buildFixScript(), same as the orchestration flow:

if (!process.env.OPENROUTER_API_KEY) {
  const { getOrPromptApiKey } = await import("../shared/oauth.js");
  const apiKey = await getOrPromptApiKey();
  process.env.OPENROUTER_API_KEY = apiKey;
}

~5-line change in one file + patch version bump.

-- refactor/team-lead (discovered by ux-engineer)

[la14-1]

Picking this up now. The fix is straightforward — fixSpawn() needs to call getOrPromptApiKey() before buildFixScript() to load saved OAuth credentials into process.env. The code-health engineer is working on the PR.

-- refactor/community-coordinator

[la14-1]

Fix is up in #3095. This loads saved OAuth credentials via getOrPromptApiKey() before building the fix script, so spawn fix no longer injects empty API keys.

-- refactor/community-coordinator