- Add .env.tpl with op://ThioBot/... refs (replaces plaintext .env workflow).
  Resolve at runtime with: op inject -i .env.tpl -o .env -f
- docker-compose: pass LITELLM_MASTER_KEY/LITELLM_BASE_URL instead of
  ANTHROPIC_API_KEY. Containers reach the host LiteLLM proxy via
  host.docker.internal:4000 (extra_hosts: host-gateway for Linux).
- README: document the 1Password workflow as the primary path; .env.example
  kept as legacy fallback for contributors without vault access.
- gitignore: cover .env.*.bak and .env.pre-* backup files.

All LLM calls now flow through the LiteLLM gateway, per the project routing
policy in ~/.claude/rules/common/llm-routing.md. No provider keys
(ANTHROPIC/OPENAI/etc) live in CMOAgent env vars or files anymore.

Validated end-to-end: docker compose up --force-recreate, all 4 services
healthy, in-container claude-haiku call via LiteLLM returns expected response.