feat(sandbox): L7 credential injection — query parameter rewriting and Basic auth encoding

[htekdev]

Summary

Two specific gaps remain in the L7 credential injection system after the existing header injection pattern (used by inference.local) was established. This issue tracks adding support for:

1. Query parameter rewriting — inject credentials as URL query parameters (e.g., ?api_key=VALUE)
2. Basic Authorization header encoding — support raw username:password credentials that need base64 encoding before injection as Authorization: Basic <base64>, including decode/rewrite/re-encode flows

Prior work

• feat: L7 credential injection for non-inference providers #538 (closed) — original broad proposal for L7 credential injection
• feat(sandbox): L7 credential injection for non-inference providers #541 (closed) — PR that went too far by modifying the network policy file spec

The L7 proxy already handles simple header injection (e.g., x-api-key: VALUE or Authorization: Bearer VALUE). These two cases require additional logic.

Use Case 1: Query Parameter Rewriting

APIs like the YouTube Data API authenticate via query parameters:

GET /youtube/v3/search?part=snippet&q=test&key=AIza...

The credential injector should:

• Append the credential as a percent-encoded query parameter to the request URL
• Handle URLs that already have query parameters (& vs ?)
• Strip any existing instance of the parameter from the agent's request (prevent spoofing)

Use Case 2: Basic Authorization Header Encoding

Some APIs use HTTP Basic auth where the credential is username:password, base64-encoded:

Authorization: Basic dXNlcjpwYXNzd29yZA==

The credential injector should:

• Accept a raw username:password credential value
• Base64-encode it and inject as Authorization: Basic <encoded>
• For rewriting scenarios: decode an existing Authorization: Basic header, perform credential substitution on the decoded content, then re-encode

Scope

• In scope: Changes to the credential injection/L7 relay code in openshell-sandbox
• Out of scope: Modifications to the network policy file spec or proto schema

[htekdev]

Live Verification Complete — All Credential Injection Gaps Covered ✅

Tested all the injection methods from PR #631 in a live sandbox environment against real APIs. Every path works:

Injection Type	Test	Result
Bearer/token prefix	Authorization: Bearer $PLACEHOLDER → GitHub API	✅ 200 OK
Basic auth (base64)	Authorization: Basic base64(user:$PLACEHOLDER) → GitHub API	✅ 200 OK
Query parameter	?key=$PLACEHOLDER → YouTube Data API v3	✅ Real results

The only remaining gap is the Copilot CLI client-side token validation — the Copilot CLI rejects the openshell:resolve:env:* placeholder before making any HTTP request. This is tracked upstream at github/copilot-cli#2431 and is a Copilot CLI issue, not an OpenShell issue.