Function inject_identity_env 

pub fn inject_identity_env(
    wstore: Arc<WaveStore>,
    block_id: &str,
    env_vars: &mut HashMap<String, String>,
)

Inject identity-derived env vars into the spawn map for a block.

This is the public entry point called from the CLI-spawn paths (AgentInputCommand in websocket.rs and AgentSendCommand in app_api.rs). Resolution flow:

1. Look up the active AgentInstance for this block. If none exists, the caller didn’t go through the launch modal — return immediately, no injection.
2. Read its identity_id. Empty / “blank” → no injection (the user picked the blank singleton at launch, meaning “use ambient creds”).
3. Read the db_identity_bindings rows for that identity_id.
4. For each binding: fetch the account, resolve its SecretRef, look up the provider’s env-var matrix, write each var into env_vars. Any per-binding failure is logged and skipped — other bindings still inject. The agent CLI launches with whatever resolved cleanly plus whatever ambient env was already in the spawn map.

This function is intentionally infallible at the top level. It has no Result, just side-effects on env_vars and tracing::warn for every per-binding error. The spawn never aborts because a secret didn’t resolve.