feat: add apiKeys lib for direnv/sops single source of truth

- apiKeys: list of API key names (openai, google, anthropic, openrouter)
- mkDirenvStdlib: generates use_api_keys() bash function
- mkSopsSecrets: generates sops-nix secrets attribute set

Consumers (ops-dev, dotfiles) can now import from skills.lib
instead of maintaining duplicate key lists.

flake.nix

@@ -102,6 +102,42 @@
 
         # Helper to get all skill paths
         getAllSkillPaths = map (name: ./skills/${name}) availableSkills;
+
+        # API Keys - Single Source of Truth
+        # Used by both direnv stdlib and sops-nix configuration
+        apiKeys = [ "openai" "google" "anthropic" "openrouter" ];
+
+        # Generate direnv stdlib use_api_keys function
+        mkDirenvStdlib = keys:
+          let
+            toEnvVar = key: {
+              "openai" = "OPENAI_API_KEY";
+              "google" = "GEMINI_API_KEY";
+              "anthropic" = "ANTHROPIC_API_KEY";
+              "openrouter" = "OPENROUTER_API_KEY";
+            }.${key} or (builtins.throw "Unknown API key: ${key}");
+
+            # Google key exports both GEMINI_API_KEY and GOOGLE_API_KEY
+            mkExport = key:
+              if key == "google" then ''
+              [ -f /run/secrets/api_keys/${key} ] && export ${toEnvVar key}="$(cat /run/secrets/api_keys/${key})" && export GOOGLE_API_KEY="$GEMINI_API_KEY"''
+              else ''
+              [ -f /run/secrets/api_keys/${key} ] && export ${toEnvVar key}="$(cat /run/secrets/api_keys/${key})"'';
+          in ''
+            use_api_keys() {
+              ${builtins.concatStringsSep "\n  " (map mkExport keys)}
+            }
+          '';
+
+        # Generate sops-nix secrets attribute set
+        mkSopsSecrets = { keys, owner, group ? "users" }:
+          builtins.listToAttrs (map (key: {
+            name = "api_keys/${key}";
+            value = {
+              mode = "0600";
+              inherit owner group;
+            };
+          }) keys);
       };
     };
 }