fix(variable/update): stop exposing secret values in output

[brian890809]

Summary

• variable update no longer prints secret values in table or JSON output — only the key names of explicitly updated variables are shown
• Interactive mode masks existing values in the selection prompt (e.g., PASSWORD = K6H*** instead of the full value)
• Fixes the issue where merging with existing variables caused ALL key-value pairs to be dumped, including secrets the user didn't touch

Closes SEI-413

Test plan

• Run zeabur variable update --id <id> -i=false -k "FOO=bar" — output should show only FOO, no value
• Run with --json — output should be [{"Key": "FOO"}], no Value field
• Run in interactive mode — selection prompt should show masked values
• Verify other existing variables (e.g., PASSWORD) are not leaked in any output mode

🤖 Generated with Claude Code

Summary by CodeRabbit

• Features

  • Variable values are now masked during interactive variable selection.

• Changes

  • Interactive mode now records which keys you explicitly modify so only those are reported.
  • Non-interactive mode similarly reports only explicitly modified keys when applicable.
  • JSON and table outputs now list only the modified keys (no values displayed).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 420b9745-dd5a-4628-ac83-cd1bf8a8b1e3

📥 Commits

Reviewing files that changed from the base of the PR and between e44e95b and e6893a1.

📒 Files selected for processing (1)

• internal/cmd/variable/update/update.go

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/cmd/variable/update/update.go

---

Walkthrough

The variable update command now records which keys were explicitly updated, masks existing values in the interactive UI, and changes non-interactive JSON/table outputs to report only the updated keys (values omitted).

Changes

Cohort / File(s)	Summary
Variable Update Command internal/cmd/variable/update/update.go	Added updatedKeys to track keys explicitly changed; added maskValue() and updated interactive prompt to show masked values and append selected keys to updatedKeys; ensured non-interactive mode populates updatedKeys when empty; changed JSON output to emit only Key for updatedKeys and table output to list only keys.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main security fix: preventing secret values from being exposed in output. It directly matches the core objective of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bchen/sei-413-cli-variable-update-exposes-secret-values-in-output

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/cmd/variable/update/update.go`:
- Line 106: The code appends keyTable[updateVarSelect] to opts.updatedKeys
without checking for duplicates; modify the update path (where opts.updatedKeys
is appended) to ensure uniqueness by checking whether keyTable[updateVarSelect]
already exists in opts.updatedKeys (or maintain a temporary set/map of seen
keys) before appending, so that repeated edits of the same variable during an
interactive session do not produce duplicate entries in opts.updatedKeys and the
final JSON/table output.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 762bfef8-9784-40c4-98e6-d2440ed3d5e5

📥 Commits

Reviewing files that changed from the base of the PR and between eb837cb and e44e95b.

📒 Files selected for processing (1)

• internal/cmd/variable/update/update.go