Audits and hardens API credential handling (env vars, separation, rotation plan, least privilege, auditability). Use whe