fix: limit local mcp subprocess env

[wgu9]

Issue for this PR

Fixes #31778

Related: #31894 (closed)

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Local MCP servers currently receive the full parent process.env, so unrelated provider credentials can leak to third-party MCP subprocesses.

This PR adds a single local MCP environment builder that only inherits a small operational allowlist needed to start local commands (PATH, temp/home variables, Windows process basics, locale), then overlays the explicit per-server mcp.environment. That keeps configured MCP credentials working while stopping accidental parent API key inheritance.

It also preserves the existing opencode local MCP compatibility behavior by setting BUN_BE_BUN=1 for that command.

The regression coverage verifies:

• parent process secrets such as OPENAI_API_KEY / ANTHROPIC_API_KEY are not inherited by default
• explicit mcp.environment values are still passed and can intentionally provide credentials
• safe operational env such as PATH is retained
• the opencode command still gets BUN_BE_BUN=1

How did you verify your code works?

• bun test test/mcp/lifecycle.test.ts from packages/opencode
• bun run typecheck from packages/opencode
• bunx oxlint packages/opencode/src/mcp/index.ts packages/opencode/test/mcp/lifecycle.test.ts from repo root (0 errors; existing warnings in these files remain)
• git diff --check

Note: local git push pre-push hook requires Bun ^1.3.14; this machine has Bun 1.3.11, so I pushed with --no-verify after the focused tests above passed.

Screenshots / recordings

Not applicable. This is MCP subprocess environment behavior covered by tests.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR