docs: clarify that credential env vars are host-side (fixes #24678)

The credentials page could be misread as suggesting you set API key
environment variables inside the sandbox. Clarified that env vars are
read from the host shell, and added a note that model-provider keys
set inside the sandbox have no effect because the proxy handles
credential injection from the host.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: dvdksn

content/manuals/ai/sandboxes/security/credentials.md

@@ -126,14 +126,20 @@ $ sbx run claude
 The proxy reads the variable from your terminal session. See individual
 [agent pages](../agents/) for the variable names each agent expects.
 
+> [!NOTE]
+> These environment variables are set on your host, not inside the sandbox.
+> Sandbox agents are pre-configured to use credentials managed by the
+> host-side proxy. For custom environment variables not tied to a
+> [supported service](#supported-services), see
+> [Setting custom environment variables](../faq.md#how-do-i-set-custom-environment-variables-inside-a-sandbox).
+
 ## Best practices
 
 - Use [stored secrets](#stored-secrets) over environment variables. The OS
   keychain encrypts credentials at rest and controls access, while environment
   variables are plaintext in your shell.
-- Don't set API keys manually inside the sandbox. Credentials stored in
-  environment variables or configuration files inside the VM are readable by
-  the agent process directly.
+- Don't set API keys manually inside the sandbox. Sandbox agents are
+  pre-configured to use proxy-managed credentials.
 - For Claude Code and Codex, OAuth is another secure option: the flow runs on
   the host, so the token is never exposed inside the sandbox. For Claude Code,
   use `/login` inside the agent. For Codex, run `sbx secret set -g openai --oauth`.