feat(security): add role_wrapper.sh and update setup_missions for secure token injection

native_crumbcore_v1/scripts/role_wrapper.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# 🛡️ Crumbforest Role Wrapper
+# Injects secrets securely at runtime without storing them in user env.
+
+ENV_FILE="/opt/crumbforest/.env"
+
+# 1. Check if .env exists
+if [ ! -f "$ENV_FILE" ]; then
+    echo "❌ Error: Configuration not found at $ENV_FILE"
+    exit 1
+fi
+
+# 2. Extract API Key (securely)
+# We use grep/sed to avoid sourcing the entire file (security best practice)
+API_KEY=$(grep "^OPENROUTER_API_KEY=" "$ENV_FILE" | cut -d'=' -f2-)
+
+if [ -z "$API_KEY" ]; then
+    echo "❌ Error: OPENROUTER_API_KEY not found in config."
+    exit 1
+fi
+
+# 3. Export for the sub-process
+export OPENROUTER_API_KEY="$API_KEY"
+
+# 4. Determine the target script
+ROLE_SCRIPT="$1"
+shift  # Remove script name from args
+
+# Check if script exists
+if [ ! -f "$ROLE_SCRIPT" ]; then
+    echo "❌ Error: Role script not found: $ROLE_SCRIPT"
+    exit 1
+fi
+
+# 5. Execute the role script with arguments
+# We use 'exec' to replace the wrapper process with the target
+exec "$ROLE_SCRIPT" "$@"