Show draft reviewer credential status per key in cr init

[rianjs]

Problem

Once reviewer credentials can be collected before final commit, users need a safe way to understand the in-memory draft state when they revisit the reviewer entity flow. The UI should never show secret values, but it should clearly show which credential keys are missing, already present in the configured backend, staged in memory, skipped, or deferred.

This matters most for GitHub App reviewers because the credential bundle has two required keys and one optional key.

Related: #291, #317, #347.

Desired behavior

Reviewer entity editing should include a credential status section for credential-bearing reviewer entities.

The status should be key-specific and should not expose secret values:

• missing: required key is neither present in the backend nor staged in memory.
• existing: key exists in the resolved credential backend.
• staged: key has a draft-local value that will be written at commit.
• skipped optional: optional key was intentionally skipped.
• deferred: user chose to configure later.

The section should also summarize the destination, including the credential ref and resolved secrets-management profile/backend when available.

Acceptance criteria

• PAT reviewer status shows only git_token.
• GitHub App reviewer status shows github_app_id, github_app_private_key, and optional github_app_installation_id.
• Staged secrets are represented as staged/pending without rendering secret values.
• Existing stored secrets can be kept without forcing overwrite.
• Existing partial GitHub App credentials surface which required key is still missing.
• Returning to reviewer entity setup after setting draft secrets shows those keys as staged.
• Final commit summary includes reviewer credential readiness without leaking secret values.

Empirical verification

Use tmux to drive cr init in a real PTY.

Required captures:

• Before entering secrets: GitHub App reviewer shows required keys as missing.
• After entering app id/private key and skipping installation id: those required keys show staged, optional key shows skipped/optional.
• Re-entering reviewer entity setup before commit preserves the staged status.
• A seeded backend with an existing PAT reviewer token shows git_token as existing and offers keep/replace behavior.
• No captured screen includes raw secret values.

[rianjs]

Issue #348: Show draft reviewer credential status per key in cr init

Goal

Show non-secret, key-specific reviewer credential readiness inside reviewer-entity setup so users can understand missing, existing, staged, skipped optional, and deferred reviewer credential state before final commit.

Scope

• Focus only on reviewer entities and reviewer credential refs.
• Do not render raw secret values or value lengths.
• Do not redesign the generic secret-entry prompts beyond surfacing status before/inside reviewer setup.
• Keep Surface resolved secrets backend context in credential-bearing init flows #349 destination/backend wording improvements limited to the destination summary needed by Show draft reviewer credential status per key in cr init #348.

Implementation Plan

1. Model reviewer credential status rows.

   • Add small internal structs for reviewer credential status, with credential ref, auth mode, resolved secrets profile/backend, and per-key rows.
   • Treat reviewer entity names as rendering labels only; authoritative status identity is the active credential-plan entry: resolved store, purpose, auth mode, credential ref, and key.
   • Represent per-key states as missing, existing, staged, skipped optional, deferred, and optional for an optional key that has no existing value and has not yet been skipped.
   • Derive key rows from initCredentialPlanEntry.KeySpecs, session.writes, session.credentialDecisions, and existing backend keys.
   • Treat draft writes as staged without exposing values.
   • Use explicit precedence per key: staged > skipped optional > deferred > existing > missing for required keys, with optional as the final state for optional keys.
   • Treat defer decisions key-by-key: existing keys still show existing; only unresolved required keys show deferred.

2. Compute status in the interactive session context.

   • Extend initPromptContext with reviewer credential status keyed by credential ref / auth mode, plus enough mapping for reviewer entity rendering to find the matching active status.
   • Build the status from the current session immediately before reviewer inventory/detail rendering.
   • Resolve existing backend keys through openInitStoreForEntry, reusing the credential-plan entry store resolution rather than inventing a separate lookup path.
   • If backend inspection fails due config/profile/backend errors or runtime store failures such as unavailable 1Password, surface a safe “status unavailable” note rather than panic, force secret collection, or leak secret material.

3. Render status in reviewer-entity UI.

   • Add a reviewer credential status section to existing and newly staged credential-bearing reviewer entity detail screens.
   • Include the credential ref and resolved secrets profile/backend destination in the section.
   • For PAT reviewers, show only git_token.
   • For GitHub App reviewers, show github_app_id, github_app_private_key, and optional github_app_installation_id.
   • Do not render a credential status section for the profile Git-account fallback.

4. Preserve commit and collection behavior.

   • Keep existing set-now/defer/keep behavior from Move reviewer credential secret capture into reviewer-entity init flow #347.
   • Ensure returning to reviewer entity setup after draft secrets are entered shows those keys as staged.
   • Ensure existing partial GitHub App credentials show present keys as existing and missing required keys as missing.
   • Ensure skipped optional installation id remains visible as skipped optional.
   • Ensure defer with partial existing credentials keeps existing keys visible as existing and marks only unresolved required keys as deferred.
   • Ensure final commit readiness summaries continue to mention reviewer credential readiness without rendering staged secret values.

5. Update docs.

   • Add a short docs/init-ux-contract.md note that reviewer entity setup shows key-level credential readiness without exposing values.
   • Mention that draft writes and defer/skip decisions are session-local and filtered when the reviewer credential ref changes.

Verification

• go test ./internal/cmd/credentialcmd -run 'TestInitReviewerCredentialStatus|TestInitInteractiveMenuFocused.*Reviewer|TestHuhInitReviewerEntity'
  • Include a backend-inspection failure case that renders a non-secret status unavailable note.
• make lint
• make test
• make build
• make tidy
• tmux 120x40 empirical checks:
  • Configure a GitHub App reviewer and verify the reviewer screen shows github_app_id and github_app_private_key as missing before entering secrets.
  • Set app id and private key, skip installation id, return to reviewer entities before commit, and verify required keys show staged while the optional key shows skipped optional.
  • Seed a backend with an existing PAT reviewer token and verify git_token shows existing and the keep/replace path is offered.
  • Seed partial GitHub App credentials and defer missing keys, then verify existing keys remain existing while unresolved required keys show deferred or missing according to the chosen action.
  • Commit after draft reviewer credentials and verify readiness/summary output mentions reviewer credential readiness without raw values.
  • Verify no tmux capture contains raw sentinel secret values.