feat(cli): validate sensitive fields require env() references

[tonychang04]

Summary

• Adds parseEnvRef() and validateSensitiveString() in src/lib/config-secrets.ts
• Sensitive TOML fields (OAuth client_secret, SMTP password, S3 secret key, etc.) MUST be env(NAME) references — never literal values
• Same convention as Vercel/Fly.io/Supabase: makes insforge.toml unconditionally safe to commit to git
• Foundation laid but not yet wired — first consumer will be [email.smtp] or [auth.providers.<built_in>]

Why this is a separate branch

The MVP scope on feat/insforge-toml-mvp (PR #109) is [auth] allowed_redirect_urls only — zero sensitive fields, so the validator wouldn't be exercised. This branch lands the foundation so the next sensitive section to ship has the validator ready to register.

Test plan

• 6 vitest cases in src/lib/config-secrets.test.ts — all pass
• Full src/lib test suite (18 tests across config-toml, config-diff, config-format, config-secrets) passes
• Wired into validateConfig() when first sensitive field section ships

🤖 Generated with Claude Code

---

Summary by cubic

Adds insforge.toml support to the CLI (export, plan, apply) for [auth] allowed_redirect_urls, and lays the groundwork to require env(NAME) refs for sensitive fields. Also fixes re-link to replace masked DATABASE_URL passwords with the real value.

• New Features

  • insforge config subcommands:
    • export writes live config to insforge.toml; plan shows a human-readable diff; apply updates the project via PUT /api/auth/config.
  • Config schema/codec for v1: InsforgeConfig with [auth].allowed_redirect_urls, TOML parsing/formatting via smol-toml, and deterministic output.
  • Structured diff and plan: diffConfig() and formatPlan() for clear change summaries.
  • Sensitive-field validation foundation: parseEnvRef() and validateSensitiveString() enforce env(NAME) (UPPER_SNAKE_CASE) with actionable errors; wiring will happen when SMTP/OAuth sections land.

• Bug Fixes

  • refreshStaleEnvDefaults now refreshes .env.local values that contain masked passwords (:****@) to the real platform value during re-link.

^{Written for commit 150ef30. Summary will update on new commits.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03f54bfe-c725-4650-a3fc-75cdad776daf

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/insforge-toml-secrets-validation

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files