Potential fix for code scanning alert no. 31: Clear-text logging of sensitive information

[johnteee]

Potential fix for https://github.com/TeaEntityLab/teaAgent/security/code-scanning/31

General fix: ensure anything serialized for output is transformed into a strictly safe representation that cannot contain raw secrets, regardless of source taint. In practice, keep existing redaction but add a deterministic deep “safe-for-log” transformer that redacts by key name and by value heuristics, including env-var-like secret identifiers (*_API_KEY, *_TOKEN, etc.), before calling json.dumps.

Best fix in this file: update print_json flow to run a final deep sanitizer that:

• redacts sensitive keys (existing _is_sensitive_key);
• redacts suspicious string values (existing _looks_like_sensitive_string);
• additionally redacts env-name strings that look like secret variable names (e.g., OPENAI_API_KEY, AIGATEWAY_API_TOKEN), which addresses variants tied to api_key_env;
• preserves non-sensitive structure/functionality (same JSON output shape, only secret-like values replaced).

Changes are only needed in teaagent/cli/_handlers/_doctor.py, in the sanitization/helper region and print_json.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.