left4me: wire STEAM_WEB_API_KEY through to web.env

Adds the metadata key default (None — node must override) and pipes it
into web.env.mako so the live-state poller can resolve Steam IDs to
persona names + avatars via GetPlayerSummaries.

ovh.left4me gets the actual key as an encrypted vault secret.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

bundles/left4me/files/etc/left4me/web.env.mako

@@ -5,3 +5,4 @@ JOB_WORKER_THREADS=${node.metadata.get('left4me/job_worker_threads')}
 SESSION_COOKIE_SECURE=true
 LEFT4ME_PORT_RANGE_START=${node.metadata.get('left4me/port_range_start')}
 LEFT4ME_PORT_RANGE_END=${node.metadata.get('left4me/port_range_end')}
+STEAM_WEB_API_KEY=${node.metadata.get('left4me/steam_web_api_key')}

bundles/left4me/metadata.py

@@ -12,6 +12,12 @@ defaults = {
         'gunicorn_workers': 1,
         'gunicorn_threads': 32,
         'job_worker_threads': 4,
+        # Steam Web API key for the live-state panel's GetPlayerSummaries
+        # lookups (persona names + avatars). Empty default — nodes override
+        # in their own metadata with the actual key. If left empty in prod,
+        # the live-state panel still works but falls back to RCON in-game
+        # names and placeholder avatars.
+        'steam_web_api_key': '',
         # Whole 27000-block: covers Steam's defaults (27015 game, 27005
         # client/RCON) plus headroom for ad-hoc ports without further
         # nftables changes. Mirrored into LEFT4ME_PORT_RANGE_{START,END}

nodes/ovh.left4me.py

@@ -47,6 +47,7 @@
             # /sys/devices/system/cpu/cpu0/topology/thread_siblings_list).
             # Keeps system work off the physical cores running game ticks.
             'system_cpus': {0, 4},
+            'steam_web_api_key': 'encrypt$gAAAAABqA2whFHIw95XJcU9l8oWG-Lwe1ZQbYKDXa1iRI3Oopg3LZIgr--yksABXnKwfB2KIKM9y8o0hhIcUri7JEJjQvgh4IoG0J-IRPBEG56kiW5J4DKi8wW0ks-jeV7lZiW_j9o0z',
         },
     },
 }