What does this PR do?

Three provider API keys used by Hermes were leaking in plain text to
logs and tool output because their prefixes were missing from
_PREFIX_PATTERNS in agent/redact.py.

ElevenLabs TTS keys start with sk_ (underscore). The existing
pattern only covers sk- (dash). One character difference — completely
missed.

Tavily search keys use a tvly- prefix. No pattern existed.

Exa search keys use an exa_ prefix. No pattern existed.

All three providers are actively used by Hermes (TTS, web search).
Running printenv or any command that dumps environment variables would
expose these keys in full.

Related Issue

No existing issue — this is a proactive security fix.

Type of Change

• 🔒 Security fix

Changes Made

• agent/redact.py:

  • Added r"sk_[A-Za-z0-9_]{10,}" — ElevenLabs TTS key
  • Added r"tvly-[A-Za-z0-9]{10,}" — Tavily search API key
  • Added r"exa_[A-Za-z0-9]{10,}" — Exa search API key

• tests/agent/test_redact.py:

  • Added TestMissingProviderKeys class with new test cases
  • Covers inline log lines and env dump format

How to Test

Checklist

• Read the Contributing Guide
• Commit messages follow Conventional Commits
• No duplicate PR found
• PR contains only this security fix
• pytest passes
• Tests added for the fix
• Tested on: Ubuntu 24.04
• Cross-platform: pure regex, no OS calls — N/A