fix!: require environment on diagram lookup and attribute keys queries

Closes two cross-env data leakage paths. Both endpoints previously
returned data aggregated across all environments, so a diagram or
attribute key from dev could appear in a prod UI query (and vice versa).

B1: GET /api/v1/diagrams?application=&routeId= now requires
?environment= and resolves agents via
registryService.findByApplicationAndEnvironment instead of
findByApplication. Prevents serving a dev diagram for a prod route.

B2: GET /api/v1/search/attributes/keys now requires ?environment=.
SearchIndex.distinctAttributeKeys gains an environment parameter and
the ClickHouse query adds the env filter alongside the existing
tenant_id filter. Prevents prod attribute names leaking into dev
autocompletion (and vice versa).

SPA hooks updated to thread environment through from
useEnvironmentStore; query keys include environment so React Query
re-fetches on env switch. No call-site changes needed — hook
signatures unchanged.

B3 (AgentMetricsController env scope) deferred to P3C: agent-env is
effectively 1:1 today via the instance_id naming
({envSlug}-{appSlug}-{replicaIndex}), and the URL migration in P3C
to /api/v1/environments/{env}/agents/{agentId}/metrics naturally
introduces env from path. A minimal P1 fix would regress the "view
metrics of a killed agent" case.

BREAKING CHANGE: Both endpoints now require ?environment= (slug).
Clients omitting the parameter receive 400.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ui/src/api/queries/diagrams.ts

@@ -1,5 +1,6 @@
 import { useQuery } from '@tanstack/react-query';
 import { api } from '../client';
+import { useEnvironmentStore } from '../environment-store';
 
 export interface DiagramNode {
   id?: string;
@@ -53,15 +54,16 @@ export function useDiagramByRoute(
   routeId: string | undefined,
   direction: 'LR' | 'TB' = 'LR',
 ) {
+  const environment = useEnvironmentStore((s) => s.environment);
   return useQuery({
-    queryKey: ['diagrams', 'byRoute', application, routeId, direction],
+    queryKey: ['diagrams', 'byRoute', environment, application, routeId, direction],
     queryFn: async () => {
       const { data, error } = await api.GET('/diagrams', {
-        params: { query: { application: application!, routeId: routeId!, direction } },
+        params: { query: { application: application!, environment: environment!, routeId: routeId!, direction } },
       });
       if (error) throw new Error('Failed to load diagram for route');
       return data as DiagramLayout;
     },
-    enabled: !!application && !!routeId,
+    enabled: !!application && !!routeId && !!environment,
   });
 }

ui/src/api/queries/executions.ts

@@ -1,5 +1,6 @@
 import { useQuery } from '@tanstack/react-query';
 import { api } from '../client';
+import { useEnvironmentStore } from '../environment-store';
 import type { SearchRequest } from '../types';
 import { useLiveQuery } from './use-refresh-interval';
 
@@ -35,17 +36,20 @@ export function useExecutionStats(
 }
 
 export function useAttributeKeys() {
+  const environment = useEnvironmentStore((s) => s.environment);
   return useQuery({
-    queryKey: ['search', 'attribute-keys'],
+    queryKey: ['search', 'attribute-keys', environment],
     queryFn: async () => {
       const token = (await import('../../auth/auth-store')).useAuthStore.getState().accessToken;
       const { config } = await import('../../config');
-      const res = await fetch(`${config.apiBaseUrl}/search/attributes/keys`, {
-        headers: { Authorization: `Bearer ${token}` },
-      });
+      const res = await fetch(
+        `${config.apiBaseUrl}/search/attributes/keys?environment=${encodeURIComponent(environment!)}`,
+        { headers: { Authorization: `Bearer ${token}` } },
+      );
       if (!res.ok) throw new Error('Failed to load attribute keys');
       return res.json() as Promise<string[]>;
     },
+    enabled: !!environment,
     staleTime: 60_000,
   });
 }