The bug was not in the API client.
It was in the assumption.
A command checked whether `~/secrets/<project>.env` existed. It did. That looked reassuring. Then another command checked `os.getenv('ENV_TOKEN')` inside a Python subprocess, and it came back `False`.
That difference is the lesson.
