fix(secrets): preserve masked ADO secrets on definition PUT

[Copilot]

Summary

ADO build-definition GET responses mask existing secret variables as ***. When secrets set round-tripped the full definition via PUT, those masked siblings could be written back literally, replacing real stored secrets.

• Preserve masked secret siblings

  • Normalize secret variables returned as {"isSecret": true, "value": "***"} to value: null before any definition PUT.
  • This keeps unchanged secrets intact while still allowing the targeted secret update.

• Apply the fix across definition round-trips

  • secrets set
  • secrets delete
  • enable --also-set-token
  • shared build-definition update helpers that mutate and PUT definitions back

• Document the ADO-specific behavior

  • Add a note under docs/cli.md for secrets set describing why masked secrets are normalized before PUT.

{
  "SECRET_A": { "isSecret": true, "value": null },
  "SECRET_B": { "isSecret": true, "value": "new-value" }
}

Test plan

Covered by targeted unit coverage for masked-secret normalization and existing repo validation.