Summary

• Resolve delegation.api_key_env for direct delegation endpoints before falling back to parent credential inheritance.
• Strip env-derived key values and raise a clear ValueError when the configured env var is missing or empty.
• Add regression tests for env-key resolution, whitespace stripping, missing env handling, and unchanged parent-key inheritance when no env key is configured.
• Add the contributor attribution mapping required by the repository's check-attribution workflow for this PR author email.

Problem

Direct delegation endpoints can point at providers whose key lives outside the parent agent's API key. If delegation.api_key_env is configured but not resolved, the child can inherit an unrelated parent key and fail authentication against the direct endpoint.

Tests

• git diff --check origin/main...HEAD
• python3 -m py_compile tools/delegate_tool.py scripts/release.py
• python3 -m pytest tests/tools/test_delegate.py::TestDelegationCredentialResolution -q -o 'addopts=' → 19 passed
• local reproduction of check-attribution email mapping → pass
• gitleaks detect --source . --no-banner --redact --log-opts='origin/main..HEAD' → no leaks found
• private-path/token regex scan over candidate diff → no hits

Note: full tests/tools/test_delegate.py currently has an unrelated heartbeat test failure on origin/main; this PR's focused credential suite passes.