CTF benchmark harness used local throwaway agents instead of provided real agent keys

A CTF benchmark harness defaulted to minting local benchmark API keys and pointing MCP calls at a local API origin. This made runs exercise the local benchmark graph rather than the intended remote/shared knowledge graph with legitimate existing agent auth keys. The benchmark module also executed its main routine on import, so smoke imports could accidentally launch a benchmark.