Move reviewer credential secret capture into reviewer-entity init flow

[rianjs]

Problem

cr init currently lets users configure a PAT or GitHub App reviewer entity, stage it, return to the main menu, and only later asks how to handle the credentials. That makes the reviewer setup feel incomplete and surprising: the UI explains the required GitHub App keys, but the user does not get an attached, key-specific credential step until finalization.

The write semantics are still correct: no config or keyring writes should happen until Commit staged changes and exit. The UX problem is where credential values are collected and how specifically they are represented.

Related: #291, #317.

Desired behavior

After configuring a separate reviewer entity, the reviewer-entity flow should immediately present a reviewer credential step before returning to the main menu.

The step should be specific to the selected auth mode:

• PAT reviewer: one required key, git_token.
• GitHub App reviewer: required keys github_app_id and github_app_private_key, optional key github_app_installation_id.
• Profile Git account reviewer: no separate reviewer credential step.

Secret values collected here must remain draft-local/in-memory until the user commits staged changes. Back without staging and Discard staged changes and exit must not write config or credentials.

Acceptance criteria

• Configuring a new PAT reviewer shows a reviewer credential step for git_token directly after reviewer settings are staged.
• Configuring a new GitHub App reviewer shows reviewer credential handling for github_app_id, github_app_private_key, and optional github_app_installation_id directly after reviewer settings are staged.
• Choosing set-now stores the entered values only in the init session draft until commit.
• Choosing defer returns to the main menu and causes commit to print follow-up cr set-credential commands for missing required keys.
• Planned reviewer credential writes suppress duplicate finalization prompts for the same reviewer ref.
• Existing final commit semantics remain intact: config and credential writes happen only after Commit staged changes and exit.

Empirical verification

Use tmux to drive cr init in a real PTY.

Required captures:

• New GitHub App reviewer flow reaches a key-specific credential step immediately after staging reviewer settings.
• Set-now path accepts app id/private key, skips optional installation id, returns to the main menu, and commit does not ask for reviewer credentials again.
• Defer path returns to the main menu and commit prints required set-credential hints.
• PAT reviewer path shows exactly one required reviewer secret, git_token.
• Discard path leaves both config and credential store unchanged.

[rianjs]

Issue #347: Move reviewer credential secret capture into reviewer-entity init flow

Goal

Make reviewer credential handling feel attached to reviewer entity setup while preserving existing init draft semantics: no config or credential-store writes until Commit staged changes and exit.

Scope

• Keep this ticket focused on prompt timing, key-specific reviewer wording, and duplicate-final-prompt suppression.
• Do not implement the full per-key status dashboard from Show draft reviewer credential status per key in cr init #348.
• Do not implement resolved backend/1Password destination summaries beyond existing suffixes from Surface resolved secrets backend context in credential-bearing init flows #349.
• Update docs that currently say credential collection belongs near final commit.

Implementation Plan

1. Add reviewer-aware credential prompt copy.

   • Introduce helpers that derive a user-facing credential bundle label and key summary from initCredentialPlanEntry.
   • For reviewer PAT refs, title/copy should name the PAT reviewer secret and git_token.
   • For reviewer GitHub App refs, title/copy should name GitHub App reviewer secrets and required/optional keys: github_app_id, github_app_private_key, github_app_installation_id.
   • Keep Git and LLM prompts compatible with current behavior.

2. Make focused reviewer-entity collection unambiguously before commit.

   • Preserve the existing collectInteractiveInitSessionWorkspaceSecrets(... reviewer_credentials ...) hook after a reviewer entity changes.
   • Add regression coverage that records secret prompter calls before the menu reaches Commit staged changes and exit.
   • Ensure set-now reviewer writes remain draft-local until applyInteractiveInitSessionPlan.

3. Add minimal draft credential decision state.

   • Introduce a session/workspace decision map keyed by resolved store/ref/key so reviewer choices made in the reviewer flow survive until commit.
   • Record deferred reviewer refs explicitly so commit-time planning can render hints without prompting again.
   • Record optional-key skips, especially github_app_installation_id, even though Show draft reviewer credential status per key in cr init #348 owns the richer status dashboard.
   • Preserve planned writes and satisfied refs for set-now behavior, but do not rely on them to represent defer/skip.

4. Suppress duplicate finalization prompts for reviewer refs already handled in the reviewer flow.

   • Add tests that set-now and defer choices made in the reviewer flow are not asked again at commit.
   • Confirm unrelated Git/LLM credentials still prompt normally.
   • Add a fallback regression that selecting "use profile's Git account" does not show a reviewer credential step.

5. Preserve discard/no-write behavior.

   • Add or extend tests where reviewer secrets are entered in the reviewer flow, then the session exits/discards without config or keyring writes.

6. Update docs.

   • Update docs/init-ux-contract.md to say reviewer subflows may collect draft-local secrets before commit, while untouched Git/LLM flows can still be handled at final commit.
   • Update docs/development.md if its init note would otherwise be stale.

Verification

• go test ./internal/cmd/credentialcmd -run 'TestInitInteractiveMenuFocused.*Reviewer|TestCollectInteractiveInitSecrets|TestInitInteractive.*Discard'
• make test
• make build
• tmux empirical checks with -x 120 -y 40:
  • Drive cr init to configure a GitHub App reviewer and verify the key-specific reviewer credential prompt appears before selecting commit.
  • Choose set-now for app id and a realistic multi-line PEM-shaped private key using clipboard or no-echo paste, skip optional installation id, return to main menu, commit, and verify no second reviewer credential prompt appears.
  • Choose defer for a GitHub App reviewer and verify final commit prints required set-credential hints only.
  • Configure a PAT reviewer and verify only git_token is requested.
  • Select "use profile's Git account" and verify no reviewer credential step appears.
  • Enter sentinel secret values, discard staged changes, and verify config/store and tmux captures do not contain the sentinel values.