bug: os.environ credential bleed across conversations in multi-tenant server

[csmith49]

Problem

The LLM's model_validator writes API keys and base URLs directly into os.environ. In a multi-tenant server where different conversations may use different LLM providers/keys, one conversation's credentials are visible to all others via the process environment. Combined with the modify_params race (#4 in tracking issue), a conversation could inadvertently use another tenant's credentials.

Location: llm/llm.py model_validator

Evidence

Code review of llm.py model_validator. Environment variables are the mechanism for passing credentials to litellm.

Severity: Critical

Impact of fix

Tenant isolation for credentials in multi-conversation servers.

Suggested fix

Pass credentials through litellm's function arguments or per-call configuration instead of os.environ. Medium effort (requires understanding litellm's credential passing API).

Related issues and PRs

• Command-scoped secrets persist across TerminalExecutor session boundaries #2944 — Command-scoped secrets persist across TerminalExecutor session boundaries (open issue, same class of credential leakage)
• sec: Support Laminar API key injection to prevent credential leaks #2814 — Support Laminar API key injection to prevent credential leaks (closed PR)
• feat(acp): secrets in agent_context — prompt awareness + subprocess injection #2984 — feat(acp): secrets in agent_context — prompt awareness + subprocess injection (closed PR)
• Security: Credentials in plugin source URLs exposed in logs, exceptions, and persisted state #2152 — Security: Credentials in plugin source URLs exposed in logs, exceptions, and persisted state (open issue)

Discovered during profiling investigation (code review), May 2026. openhands-sdk v1.19.1.