Feat/add yaml secrets var

[ivanleomk]

No description provided.

[gemini-code-assist]

Code Review

This pull request introduces the ability to load environment variables from a .env file and resolve placeholders within the agent's YAML configuration. It also updates the agents create command to use id instead of name in the request body. The review feedback highlights three key improvements: using a replacer function in replaceAll to prevent corruption from special replacement patterns in environment variables, ensuring resolveEnvVars only traverses plain objects to avoid breaking non-plain objects like Date, and handling .env loading errors outside the main try block to provide clearer error messages.

[ivanleomk]

Verifying --env YAML Secret Resolution

This PR lets local agent configs reference secrets with ${VAR} placeholders and resolve them from an explicit .env file via --env. We use process.env variables as a fallback when values are missing and throw an error if that fails.

Example setup:

bun dist/cli.js agents init github-runner

Create github-runner/.env:

```text
GITHUB_PAT=ghp_fake_private_repo_token
GEMINI_API_KEY=fake_gemini_api_key
YOUTUBE_API_KEY=fake_youtube_api_key

Update github-runner/agent.yaml:

  id: github-runner
  base_agent: antigravity-preview-05-2026
  instructions: |
    Review code changes, inspect linked videos when useful, and produce actionable findings.
  tools:
    - type: code_execution
  sources:
    - type: github
      source: "https://${GITHUB_PAT}@github.com/my-org/private-repo"
      target: "/workspace/private-repo"
  environment:
    type: remote
    network:
      allowlist:
        - domain: generativelanguage.googleapis.com
          transform:
            x-goog-api-key: "${GEMINI_API_KEY}"
        - domain: www.googleapis.com
          transform:
            x-goog-api-key: "${YOUTUBE_API_KEY}"
        - domain: youtube.com
        - domain: www.youtube.com

Run dry-run create:

  bun dist/cli.js agents create \
    --path github-runner \
    --env github-runner/.env \
    --dry-run

The output shows placeholders resolved into the create request:

  {
    "id": "github-runner",
    "base_agent": "antigravity-preview-05-2026",
    "base_environment": {
      "sources": [
        {
          "type": "repository",
          "source": "https://ghp_fake_private_repo_token@github.com/my-org/private-repo",
          "target": "/workspace/private-repo"
        }
      ],
      "network": {
        "allowlist": [
          {
            "domain": "generativelanguage.googleapis.com",
            "transform": {
              "x-goog-api-key": "fake_gemini_api_key"
            }
          },
          {
            "domain": "www.googleapis.com",
            "transform": {
              "x-goog-api-key": "fake_youtube_api_key"
            }
          }
        ]
      }
    }
  }

So the shareable agent.yaml keeps ${GITHUB_PAT}, ${GEMINI_API_KEY}, and ${YOUTUBE_API_KEY} placeholders, while the create request receives resolved values from github-runner/.env.