feat: per-profile env vars via .env file and YAML env block

[hummuscience]

Adds two ways to inject environment variables into the spawned CLI on aimux run <profile> and aimux auth login <profile>:

• <profile>/.env — dotenv file in the profile dir (good for secrets; parser supports KEY=value, export prefix, comments, single/double quotes, and basic escapes inside double quotes)
• env: map under the profile in config.yaml (good for non-secret toggles; overrides .env on key conflict)

Both sources are merged and passed alongside CLAUDE_CONFIG_DIR. This unlocks env-driven Claude Code modes (Microsoft Foundry, Bedrock, Vertex, custom proxies) per profile without touching the launching shell. README documents the Microsoft Foundry recipe.

Tests cover the dotenv parser, the merge precedence, and that profile env actually flows through buildRunParams.

[shahinyanm1-work]

Solid PR — parser is tight, tests cover the right paths, README recipe makes the feature self-explanatory. Approving with a couple of small notes; nothing blocking.

Small parser bug

Inline comments after a quoted value don't get stripped. FOO="bar" # comment ends up as "bar" # comment because the strip-comment branch is skipped when the value starts with a quote, and then the strip-quotes branch bails because the last char isn't a quote either. Probably worth handling, or at least noting in the README — quoted-value users will hit this sooner or later.

Documentation nit

The parser doesn't do ${VAR} interpolation and doesn't support multi-line values. Both are fine for the dotenv-as-secrets use case, but worth one line in the README so people don't expect full dotenv-expand behavior.

Security hygiene (optional)

The README tells people to chmod 600 .env. Could be worth a runtime warning when aimux run sees a profile .env with mode > 0600 — same way docker complains about loose key permissions. Not a blocker, just an "easy win later" item.

Everything else looks good — process.env merge, CLAUDE_CONFIG_DIR override order, is_source handling, validation in config.ts, and the auth-login path all do the right thing.

[Shahinyanm]

Solid PR — parser is tight, tests cover the right paths, README recipe makes the feature self-explanatory. Approving with a couple of small notes; nothing blocking.

Small parser bug

Inline comments after a quoted value don't get stripped. FOO="bar" # comment ends up as "bar" # comment because the strip-comment branch is skipped when the value starts with a quote, and the strip-quotes branch bails because the last char isn't a quote either. Worth handling, or at least noting in the README — quoted-value users will hit this sooner or later.

Documentation nit

Parser doesn't do ${VAR} interpolation and doesn't support multi-line values. Both fine for the dotenv-as-secrets use case, but worth one line in the README so people don't expect full dotenv-expand behavior.

Security hygiene (optional)

README tells people to chmod 600 .env. Could be worth a runtime warning when aimux run sees a profile .env with mode > 0600 — same way docker complains about loose key permissions. Not a blocker, easy follow-up.

Everything else looks good — process.env merge, CLAUDE_CONFIG_DIR override order, is_source handling, validation in config.ts, and the auth-login path all do the right thing.