1. Engram eval binary reintroduces /proc/cmdline token exposure that production hardened against
A security review has identified a critical flaw in the Engram eval binary: the `--api-key` CLI flag allows bearer tokens to appear in `/proc/cmdline`, exposing them to any process on the host with read access to `/proc`. The production binary (`cmd/engram`) explicitly avoids this attack surface by reading `ENGRAM_API_...