ci: shell-quote env values in system-integration workflow (#536)

* ci: shell-quote env values for system integration tests

Two bugs in the env file step prevented the weekly System Integration
Tests from ever passing since #427 (2026-01-26):

1. The deletion regex `/^KEY=/` did not match the template's
   `export KEY=replace-me` lines, leaving stale `replace-me` placeholders
   in the file alongside the appended real values.
2. Appended values were not shell-quoted, so `source ./env` in
   deployment/crs-architecture.sh treated whitespace and metacharacters
   as shell syntax. The `OTEL_TOKEN` secret (a `Bearer <token>` header)
   tripped this with `command not found` on the token component.

The same gap was a code-execution sink: a secret containing `$(...)` or
backticks would execute on the runner at source time.

Fix: strip with `(export[[:space:]]+)?` so template lines are actually
removed, and write with `printf 'export %s=%q\n'` so every value is
shell-escaped — defending against both whitespace and injection.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: drop placeholder block from ci-env.template

The placeholder lines (`export KEY=replace-me`) only existed because the
pre-rewrite step substituted into them with `sed -i "s|KEY=.*|...|"`.
The new `printf %q` write path doesn't need them, so removing them at
the source eliminates the entire delete-then-rewrite dance.

Drops `strip_var` and the for-loop. The workflow step is now: copy the
static template, then append shell-quoted assignments for every secret
the env: block injects. GHCR_AUTH is no longer defined at all, so the
`[ -n "$GHCR_AUTH" ]` warning branch in crs-architecture.sh:63 fires as
intended.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hbrodin

.github/ci-env.template

@@ -14,15 +14,3 @@ export OTEL_PROTOCOL="http"
 export LANGFUSE_ENABLED=true
 export DOCKER_USERNAME=""
 export DOCKER_PAT=""
-
-# Secrets/Env replaced
-export OTEL_ENDPOINT=replace-me
-export OTEL_TOKEN=replace-me
-export BUTTERCUP_NAMESPACE=replace-me
-export GHCR_AUTH=replace-me
-export OPENAI_API_KEY=replace-me
-export ANTHROPIC_API_KEY=replace-me
-export GEMINI_API_KEY=replace-me
-export LANGFUSE_HOST=replace-me
-export LANGFUSE_PUBLIC_KEY=replace-me
-export LANGFUSE_SECRET_KEY=replace-me

.github/workflows/system-integration.yml

@@ -98,30 +98,24 @@ jobs:
           OTEL_EP: ${{ secrets.OTEL_ENDPOINT }}
           OTEL_TK: ${{ secrets.OTEL_TOKEN }}
         run: |
-          cp ../.github/ci-env.template env
-          # Remove GHCR_AUTH line and lines for values we'll append
-          sed -i "/^GHCR_AUTH=/d" env
-          sed -i "/^BUTTERCUP_NAMESPACE=/d" env
-          sed -i "/^OPENAI_API_KEY=/d" env
-          sed -i "/^ANTHROPIC_API_KEY=/d" env
-          sed -i "/^GEMINI_API_KEY=/d" env
-          sed -i "/^LANGFUSE_HOST=/d" env
-          sed -i "/^LANGFUSE_PUBLIC_KEY=/d" env
-          sed -i "/^LANGFUSE_SECRET_KEY=/d" env
-          sed -i "/^OTEL_ENDPOINT=/d" env
-          sed -i "/^OTEL_TOKEN=/d" env
-          # Append values safely using echo (avoids sed injection with special chars)
-          {
-            echo "BUTTERCUP_NAMESPACE=${BUTTERCUP_NS}"
-            echo "OPENAI_API_KEY=${OPENAI_KEY}"
-            echo "ANTHROPIC_API_KEY=${ANTHROPIC_KEY}"
-            echo "GEMINI_API_KEY=${GEMINI_KEY}"
-            echo "LANGFUSE_HOST=${LF_HOST}"
-            echo "LANGFUSE_PUBLIC_KEY=${LF_PUBLIC_KEY}"
-            echo "LANGFUSE_SECRET_KEY=${LF_SECRET_KEY}"
-            echo "OTEL_ENDPOINT=${OTEL_EP}"
-            echo "OTEL_TOKEN=${OTEL_TK}"
-          } >> "env"
+          # The env file is sourced by deployment/crs-architecture.sh, so every
+          # value must be shell-quoted. printf %q produces a form bash can
+          # re-parse as the literal string, defending against shell injection
+          # from secret contents (whitespace, $(), backticks, quotes, etc.).
+          write_var() {
+            printf 'export %s=%q\n' "$1" "$2" >> ./env
+          }
+
+          cp ../.github/ci-env.template ./env
+          write_var BUTTERCUP_NAMESPACE  "$BUTTERCUP_NS"
+          write_var OPENAI_API_KEY       "$OPENAI_KEY"
+          write_var ANTHROPIC_API_KEY    "$ANTHROPIC_KEY"
+          write_var GEMINI_API_KEY       "$GEMINI_KEY"
+          write_var LANGFUSE_HOST        "$LF_HOST"
+          write_var LANGFUSE_PUBLIC_KEY  "$LF_PUBLIC_KEY"
+          write_var LANGFUSE_SECRET_KEY  "$LF_SECRET_KEY"
+          write_var OTEL_ENDPOINT        "$OTEL_EP"
+          write_var OTEL_TOKEN           "$OTEL_TK"
         working-directory: deployment
 
       - name: Run CRS