> for static API keys, the backend injects the credential directly into the agent's runtime environment.

What prevents the agent from presisering or leaking the API key - or reading it from the environment?