DF-0121
Signed/unsigned confusion defeats length clamp in KENV_GET
Summary
KENV_GET: size_t len vs int uap->len comparison(:142). Negative uap->len promotes to SIZE_MAX, clamp skipped, copyout writes strlen(value)+1 bytes (max 129). Caller can only overwrite own buffer. API correctness issue.